JavaMelody XML External Entity (XXE) vulnerability
Description
JavaMelody is a monitoring tool for Java and Java EE applications used in QA and production environments. Versions prior to 1.74.0 contain an XML External Entity (XXE) injection vulnerability in the parseSoapMethodName method within bull/javamelody/PayloadNameRequestWrapper.java. This flaw allows attackers to inject malicious XML content that the application processes without proper validation, enabling unauthorized file access, server-side request forgery (SSRF), and denial-of-service (DoS) attacks.
Remediation
Immediately upgrade JavaMelody to version 1.74.0 or later, which addresses this vulnerability. Follow these steps:
1. Update the JavaMelody dependency in your project's build configuration (Maven, Gradle, etc.) to version 1.74.0 or higher
2. Rebuild and redeploy your application
3. Verify the upgrade by checking the JavaMelody version in your application's monitoring dashboard
If immediate upgrading is not possible, implement the following temporary mitigations:
- Disable XML external entity processing in all XML parsers used by the application
- Configure XML parsers with secure settings:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);- Restrict network access to the JavaMelody monitoring endpoints using firewall rules or application-level access controls