CVE-2022-40705 An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP 2.2 and later versions.

The most common attack scenario is an unauthenticated remote code execution. Due to the fact that RPCRouterServlet is not protected by a filter, an attacker can exploit this vulnerability by injecting malicious SOAP messages. In order to exploit this issue, the attacker must be able to send SOAP messages to the target system. This can be achieved by injecting the request into an Apache SOAP server, for example by adding the following code to a web application. wsse:Encode> xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xenc#"> xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xenc#aes128-cbc" /> xenc:CipherData> xenc:CipherValue>q4Vl4OdpwZDQ2Q==/xenc:CipherValue> /xenc:CipherData> /xenc:EncryptedData> /wsse:Encode> The attacker can send the following SOAP request to Apache SOAP server. The request will be processed by RPCRouterServlet, which will cause Apache SOAP server to send the request to the target system. ?xml version="1.0" encoding="UTF-8"?> soap:Envelope xmlns:wsse="http://apache

Vulnerability details

The vulnerability is caused by the lack of authentication for RPCRouterServlet. Due to this, an attacker could exploit this vulnerability by sending a malicious SOAP message with a payload that will execute commands on the target system. To exploit this issue, the attacker must be able to send SOAP messages to the IP address or domain of the vulnerable system. This can be achieved by injecting the request into an Apache SOAP server, for example by adding the following code to a web application. wsse:Encode> xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xenc#"> xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xenc#aes128-cbc" /> xenc:CipherData> xenc:CipherValue>q4Vl4OdpwZDQ2Q==/xenc:CipherValue> /xenc:CipherData> /xenc:EncryptedData> /wsse:Encode> The attacker can send the following SOAP request to Apache SOAP server. The request will be processed by RPCRouterServlet, which will cause Apache SOAP server to send the request to the target system. ?xml version="1.0" encoding="UTF-8"?> soap:Envelope xmlns:wsse="http://apache

RPCRouterServlet is not protected by a filter

The RPCRouterServlet is exposed to the world with no protection. It does not have any security mechanisms in place. This can be exploited by attackers who are able to send SOAP messages to the target system.

Timeline

Published on: 09/22/2022 09:15:00 UTC
Last modified on: 09/24/2022 02:36:00 UTC

References

• https://lists.apache.org/thread/02yo04w93rdjmllz4454lvodn5xzhwhl
• http://www.openwall.com/lists/oss-security/2022/09/22/1
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40705