CVE-2016-3674
Vulnerability
CVE-2016-3674: XML External Entity (XXE) Vulnerability in XStream.
Affected Versions
XStream is not vulnerable, if the default XML Pull Parser is used (Xpp3 or kXML2), since these parser types do not process XML entities at all.
All versions until and including version 1.4.8 are affected, if they use explicitly one of the following parsers:
- DOM4J
- DOM
- JDOM
- JDOM2
- StAX implementation
- XOM
XStream's HierarchicalStreamDriver implementations will now explicitly turn off the processing of external entities, but the setting is not respected by all parser implementations. XStream stays therefore vulnerable in future, if one of the following parser implementations is explicitly used:
- DOM implementation from Java 5 runtime and below
- StAX implementation from Java 6 runtime and below
- StAX implementation from BEA (old reference implementation)
- XOM
Description
XStream supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system, see XXE Vulnerability.
Steps to Reproduce
An attacker might use external general or parameter entities:
<?xml version="1.0"> <!DOCTYPE root [ <!ELEMENT string (#PCDATA)> <!ENTITY content SYSTEM "file:/etc/passwd"> ]><string>&content;</string>
<?xml version="1.0"> <!DOCTYPE root [ <!ELEMENT string (#PCDATA)> <!ENTITY content SYSTEM "file:/etc/passwd"> %content; ]><string>test</string>
Use one of the XML documents above, initialize XStream with a vulnerable parser and unmarshal the XML:
XStream xstream = new XStream(); String s = (String)xstream.fromXML(xml);
Impact
The vulnerability may allow a remote attacker to retrieve the content of arbitrary files with known locations in a local file system if the Java process has read access.
Workaround
Use one of the XML Pull Parser implementations.