jersey
  1. jersey
  2. JERSEY-1714

Jersey web services are vulnerable to XXE (entity expansions vector)

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.17, 2.0-m12, 2.0
    • Fix Version/s: 2.0-rc2, 2.0
    • Component/s: security
    • Labels:
      None

      Description

      Jersey is vulnerable to entity expansion (http://clawslab.nds.rub.de/wiki/index.php/XML_Generic_Entity_Expansion)

      ===

      For the given resource, a single request could cause memory exhaustion (java.lang.OutOfMemoryError).

      @Path( "/ping" )
      public class PingService {
      
      	@POST
      	public String ping( PingRequest req ) {
      		return req.getInput();
      	}
      
      	@XmlRootElement( name = "ping" )
      	@XmlAccessorType( value = XmlAccessType.FIELD )
      	public static class PingRequest {
      
      		@XmlElement
      		private String input;
      
      		public String getInput() {
      			return input;
      		}
      
      		public void setInput( String input ) {
      			this.input = input;
      		}
      	}
      }
      

      Request exemple:

      POST /ping HTTP/1.1
      Host: attack.me
      Accept: application/xml
      Content-Type: application/xml
      Content-Length: 1338
      
      <!DOCTYPE lolz [
        <!ENTITY lol "lollollollollollollol[...]">
        <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
        <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
        <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
        <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
        <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      ]>
      <ping><input>&lol6;</input></ping>
      

      The xerces parser has by default a limit of 100,000 entity expansions. Nevertheless, it is enough to generate enormous strings.

        Activity

        Hide
        Marek Potociar added a comment -
        Show
        Marek Potociar added a comment - When working on the fix, check http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security .
        Hide
        Miroslav Fuksa added a comment -

        It would be nice if jersey would have a configuration which would allow the entity expansion limit to be changed. Unfortunately, there is no solution using clean JAXP how to configure the limit for one specific sax parser which is exactly what we would need in our message body readers. The only possible way is to define the system property with the limit:

        System.setProperty("entityExpansionLimit", "10");
        

        ... or define property using command line arguments or environment properties.

        Please note, that the system property will be used for all sax parsers on the JVM and not only in jersey message body readers (so it will for example influence all sax/dom parsers used in the server in which Jersey is running).

        You can also use a property "elementAttributeLimit" to limit maximum number of attributes in elements.

        Also please note that in order to use the secure parsing in jersey the following property must NOT be configured:

        org.glassfish.jersey.message.MessageProperties.XML_SECURITY_DISABLE
        

        ... the property would disable secure parsing and limits would be ignored.

        Show
        Miroslav Fuksa added a comment - It would be nice if jersey would have a configuration which would allow the entity expansion limit to be changed. Unfortunately, there is no solution using clean JAXP how to configure the limit for one specific sax parser which is exactly what we would need in our message body readers. The only possible way is to define the system property with the limit: System .setProperty( "entityExpansionLimit" , "10" ); ... or define property using command line arguments or environment properties. Please note, that the system property will be used for all sax parsers on the JVM and not only in jersey message body readers (so it will for example influence all sax/dom parsers used in the server in which Jersey is running). You can also use a property "elementAttributeLimit" to limit maximum number of attributes in elements. Also please note that in order to use the secure parsing in jersey the following property must NOT be configured: org.glassfish.jersey.message.MessageProperties.XML_SECURITY_DISABLE ... the property would disable secure parsing and limits would be ignored.
        Hide
        Miroslav Fuksa added a comment -

        I am closing the issue.

        Cannot be implemented as jaxp does not allow possibility to control entity expansion limits for specific parsers. The solution is to use the system property (and influence all sax parsers). The tests were added to jersey that verifies that a configuration by system properties work. See comments of this issue for for details.

        Show
        Miroslav Fuksa added a comment - I am closing the issue. Cannot be implemented as jaxp does not allow possibility to control entity expansion limits for specific parsers. The solution is to use the system property (and influence all sax parsers). The tests were added to jersey that verifies that a configuration by system properties work. See comments of this issue for for details.
        Hide
        Miroslav Fuksa added a comment -

        This bug was Closed but should be Resolved.

        Show
        Miroslav Fuksa added a comment - This bug was Closed but should be Resolved.
        Hide
        andrew.eisenberg added a comment -

        Does this vulnerability exist in version 1.2?

        Show
        andrew.eisenberg added a comment - Does this vulnerability exist in version 1.2?

          People

          • Assignee:
            Miroslav Fuksa
            Reporter:
            h3xstream
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 6 hours Original Estimate - 6 hours
              6h
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 10 hours
              10h