CVE-2014-3599
Find out more about CVE-2014-3599 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Not Vulnerable. HornetQ REST is not provided by any Red Hat product.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | hornetq | Not affected |
Acknowledgements
Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.Mitigation
When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
