Ensure that defaults for `XMLInputFactory` have expansion of external parsed general entities disabled [CVE-2016-3720]

[cowtowncoder]

To reduce likelihood of malicious XXE, let's ensure that XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES is disabled by default when instantiate by Jackson.

[astellingwerf]

Will you update the corresponding entry in the NVD with fix versions?

[cowtowncoder]

@astellingwerf I had nothing to do with filing CVEs in question nor have access. I have tried contacting Red Hat and we'll see where that leads. If anyone has contacts to follow up with that would be helpful.

[brettcave]

Have also followed up with RH via their ticket that filed the vulnerability - https://bugzilla.redhat.com/show_bug.cgi?id=1328427
It may be due to the ticket status still showing as NEW and need a resolution and/or re-testing.

[cowtowncoder]

@brettcave thank you for your help with bugzilla entry. 2.7.4 is the version here; and 2.8.0 includes fixed default settings.

[brettcave]

Thanks @cowtowncoder . Both 2.7.4 and 2.8.0 still fail CVE / OWASP checks as the database needs to be updated, waiting on RH to update it, assuming it was logged based on their bugzilla issue.

[cowtowncoder]

FWTW this is related to http://www.cvedetails.com/cve/CVE-2016-3720