-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2016-8739: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.12, 3.1.9.

Description:

Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These
readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding 
XML entities by default. This represents a major XXE risk. 

Credit: This issue was reported by Mikhail Egorov (0ang3el).

This has been fixed in revisions:

CXF 3.1.x:
http://git-wip-us.apache.org/repos/asf/cxf/commit/9deb2d17

CXF 3.0.x
http://git-wip-us.apache.org/repos/asf/cxf/commit/8e4970d9

CXF 3.2.0-SNAPSHOT (master):
http://git-wip-us.apache.org/repos/asf/cxf/commit/d9e2a6e7

Migration:

CXF 3.0.x users should upgrade to 3.0.12 or later as soon as possible.
CXF 3.1.x users should upgrade to 3.1.9 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlhYBq0ACgkQmcduTd7eq5IkqACgsSlF4pqaYC1wecNb3AhercbJ
BosAn1y1jTfFr7bAjmbYFCGLvcUkyiBw
=03oA
-----END PGP SIGNATURE-----