diff -up Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.1073 Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
--- Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.1073	2014-09-29 17:44:28.776812688 -0400
+++ Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java	2014-09-29 17:47:52.202425895 -0400
@@ -154,6 +154,7 @@ public class ExternalEntityUnmarshaller
           XMLReader xmlReader = sp.getXMLReader();
           xmlReader.setFeature("http://xml.org/sax/features/validation", false);
           xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+          xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
           SAXSource saxSource = new SAXSource(xmlReader, source);
           return delegate.unmarshal(saxSource);
       }
@@ -198,6 +199,7 @@ public class ExternalEntityUnmarshaller
             XMLReader xmlReader = sp.getXMLReader();
             xmlReader.setFeature("http://xml.org/sax/features/validation", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             ((SAXSource) source).setXMLReader(xmlReader);
             return delegate.unmarshal(source, declaredType);
          }