9:49 p.m.
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set
resteasy.document.expand.entity.references parameter to false explicitly. A more complete
fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not
to support XML Media type (we actually need to support json only). Is this a feasible
approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API
code, we currently declare consume and produce annotations to support application/xml and
application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
4:04 a.m.
You should definitely upgrade to a recent version of RESTEasy to avoid
security issues.
Cheers
Alessio
On Thu, Jul 13, 2017 at 4:49 AM, Wang Veronica <veronica_bj2004(a)hotmail.com>
wrote:
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during
penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need
to set resteasy.document.expand.entity.references parameter to false
explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am
thinking is not to support XML Media type (we actually need to support json
only). Is this a feasible approach to ultimately avoid XXE attack and any
pointers to achieve this? (In our REST API code, we currently declare
consume and produce annotations to support application/xml and
application/json).
Is there a simple resteasy configuration to disable support of
application/xml?
Thanks, Veronica
_______________________________________________
resteasy mailing list
resteasy(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy
5 p.m.
Hi Veronica,
I just found this question in my mailbox - sorry it took so long.
By default, Resteasy is configured to avoid a variety of security
problems, including XXE. For example, it sets
"http://javax.xml.XMLConstants/feature/secure-processing" to "true" by
default.
Removing application/xml would be difficult, since it's one of the media
types that the JAX-RS spec requires support for.
Note that implementations of Xerces, the XML parser, get more secure
over time, guarding against more and more possible attacks. There's a
version of Xerces in the JDK, so using a newer JDK, if you can, isn't a
bad idea.
-Ron
On 07/12/2017 10:49 PM, Wang Veronica wrote:
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set
resteasy.document.expand.entity.references parameter to false explicitly. A more complete
fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not
to support XML Media type (we actually need to support json only). Is this a feasible
approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API
code, we currently declare consume and produce annotations to support application/xml and
application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
_______________________________________________
resteasy mailing list
resteasy(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy
--
My company's smarter than your company (unless you work for Red Hat)
456
days inactive
2718
days old
3 comments
4 participants
participants (4)
-
Alessio Soldano -
Neharika Dagar -
Ron Sigal -
Wang Veronica