we found webservice written using jbossWS (jax-ws) are vulnerable to External XML injection attack.
one of the way to mitigate this issue is by configuring the SAXFactory instance.
i.e factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
The webservices are implemented with @webservice and @webmethod and Endpoint Interfaces and no where we are creating SAXFactory instances.
Where should I make this changes? I have no idea where JbossWS makes the SAXFactory instances.
we use jboss version 6.0
It is said here Disable DTD declaration this issue has been fixed in Jbossws 3.31. can someone help me to find the BUG ID so that I can pull the changes.