/ gilday / blog

🔒 XML External Entity Pitfalls With JAXB

September 16, 2020

A Contrast Security user objected to an XML External Entities (XXE) vulnerability report from the Contrast Java agent (the product I work on at Contrast Security). Their false positive claim sent me down the rabbit hole of researching what we called “Java XML Hell”. This research ultimately resulted in a change to OWASP’s XXE Cheat Sheet. It turns out that securing JAXB against XXE attacks is really difficult, and the Contrast Java agent accurately reported the application to be vulnerable 🙌.

Before accepting our proposed changes, the OWASP XXE Cheat Sheet advised OpenJDK 1.8 users that their JAXB applications are safe from XXE attacks. The advice read:

Since JDK-8010393, which is in OpenJDK 8 beta 86, javax.xml.bind.Unmarshaller instances are safe by default. The other classes mentioned here are still unsafe by default in Java 8.

While researching this issue, I discovered that an application parsing untrusted XML on an OpenJDK 1.8 runtime may be vulnerable to XXE when:

  • the JAXB runtime has been inadvertently replaced with a different JAXB runtime that is not safe-by-default (e.g. EclipseLink MOXy)
  • the secure SAX parser that the OpenJDK 1.8 Unmarshaller uses has been inadvertently replaced with a different implementation that is not safe-by-default (e.g. xercesImpl:2.8.0)
  • the application uses one of the unmarshal overloads that does not delegate XML parsing to the safe-by-default SAX parser

Given all of these caveats, I do not think that OpenJDK 1.8 users should assume that their JAXB Unmarshaller is safe from XXE attacks by default.

Contrast Security published my research to its Security Influencer’s blog, and OWASP accepted my change request to remove the misleading guidance from its XXE Cheat Sheet.

This is not the first time I have written about securing XML and Java. Last year, I wrote an article for Baeldung about how to secure XStream from Remote Code Exploitation. One thing I have learned at Contrast Security is that tracing the relationships between the various Java XML technologies and how to secure them is enough to make anyone’s head spin!

© 2020, Johnathan Gilday