Vulnerability: Castor Library default configuration could lead to XML External Entity (XXE) Attack

Document ID : KB000017620
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The Castor library is an Open Source data-binding framework for Java applications. One of its most useful functions is to provide for easy implementations of Java-to-XML binding. The library's unmarshalling class, however, is susceptible to XML External Entity (XXE) attacks. If the XML that is being passed to the unmarshalling function is controllable by an end user, there is the potential that they could retrieve local resources, download malicious code from other servers, and/or open arbitrary TCP connections.

Solution:

This vulnerability is fixed in PAM 4.2SP2. To correct this vulnerability in any previous release follow the instructions below:

The fix for this issue is actually very simple. The main Castor configuration file (castor.properties) can be used to specify which XML features should be enable/disabled. In order to prevent the parser from reading external entities, the external-general-entities and the external-parameter-entities should be disable. Additionally, the disallow-doctype-decl option should be turned on.

In order to modify castor.properties file, perform following steps:

  1. Go to PAM domain installation.

  2. Open c2ocommon-snapshot.jar file (Path: <PAM_installation_location>\server\c2o\ext-lib) using winzip or any other tool like 7zip.

  3. Open and edit castor.properties file. Add following lines at the end:

    # Comma separated list of SAX 2 features that should be enabled
    # for the default parser.
    org.exolab.castor.sax.features=\
    http://apache.org/xml/features/disallow-doctype-decl
    # Comma separated list of SAX 2 features that should be disabled
    # for the default parser.
    org.exolab.castor.sax.features-to-disable=\
    http://xml.org/sax/features/external-general-entities,\
    http://xml.org/sax/features/external-parameter-entities,\
    http://apache.org/xml/features/nonvalidating/load-external-dtd

  4. Save the file.

  5. Copy the c2ocommon-snapshot.jar file and paste it in the following location:

    1. <PAM_installation_location>\server\c2o\.c2orepository\.c2ocommonresources\lib\c2o\jars

    2. <PAM_installation_location>\server\c2o\.c2orepository\.c2oserverresources\lib

  6. Now open servermbeans.jar file (Path: <PAM_installation_location>\server\c2o\ext-lib) using winzip or any other tool like 7zip.

  7. Open and edit castor.properties file. Add the same lines mentioned in Step 3 above.

  8. Save the file.

  9. Copy the servermbeans.jar file and paste it in the following location:

    1. <PAM_installation_location>\server\c2o\.c2orepository\.c2oserverresources\lib

  10. Restart the PAM orchestrator.