Hi there,
I think the method
org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension.getNamespaceAwareDocumentBuilder()
may
have an XXE vulnerability which is vulnerable in the newest version of
org.apache.axis2:axis2. It shares similarities to a recent CVE disclosure
*CVE-2021-4295* in the *"onc-healthit/code-validator-api"* project.
The source vulnerability information is as follows:
> *Vulnerability Detail:*
>
> *CVE Identifier:* CVE-2021-4295
>
> *Description*: A vulnerability classified as problematic was found in ONC
> code-validator-api up to 1.0.30. This vulnerability affects the
> vocabularyValidationConfigurations of the file
> src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java
> of the component XML Handler. The manipulation leads to xml external entity
> reference. Upgrading to version 1.0.31 is able to address this issue. The
> name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is
> recommended to upgrade the affected component. VDB-217018 is the identifier
> assigned to this vulnerability.
>
> *Reference:* https://nvd.nist.gov/vuln/detail/CVE-2021-4295
>
> *Patch*:
> https://github.com/onc-healthit/code-validator-api/commit/fbd8ea121755a2d3d116b13f235bc8b61d8449af
>
*Vulnerability Description:* The vulnerability is present in the class
org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension of method
getNamespaceAwareDocumentBuilder() , which is responsible for getting a
DocumentBuilder object that supports namespace resolution. The vulnerable
call chain we discover is: *engage(CodeGenConfiguration
configuration)→loadAdditionalSchemas()→getNamespaceAwareDocumentBuilder().*
Given that the XML schema files stored in the
/org/apache/axis2/wsdl/codegen/schema/ which is compromised by a hacker,
the victim conducts regular process which incorporates the execution of
method engage(), resulting in an XML External Entity (XXE) Injection attack.
*Recommended Actions:*
The corresponding fixes are similar to CVE-2021-4295 to some extent. I
have provided the following fixes by applying several patching statements
in the method getNamespaceAwareDocumentBuilder() of class
org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension , ensuring that
the external entities and DTDs are not loaded when parsing and processing
XML documents using the document builder.
private DocumentBuilder createDocumentBuilder() throws
ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance("com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl",
ClassLoader.getSystemClassLoader());
documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA,
"");
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilderFactory.setNamespaceAware(true);
return documentBuilderFactory.newDocumentBuilder();
}
Considering the potential riskes it may have, I am willing to cooperate
with your to verify, address, and report the identified vulnerability
promptly through responsible means. If you require any further information
or assistance, please do not hesitate to reach out to me.
Thank you and looking forward to hearing from you soon.
Best regards,
Yiheng Cao
