Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Jolokia XML External Entity (XXE) vulnerability - Vulnerability Database

Jolokia XML External Entity (XXE) vulnerability

Description

Jolokia is a JMX-HTTP bridge that provides JSON-based REST access to Java Management Extensions (JMX) MBeans. When publicly accessible, Jolokia's reloadByURL action (part of the Logback logging framework integration) allows unauthenticated attackers to load logging configurations from external URLs. This functionality is vulnerable to XML External Entity (XXE) injection, enabling attackers to process malicious XML documents that reference external entities.

Remediation

Implement the following security measures to remediate this vulnerability:

1. Restrict network access: Configure firewall rules and network security groups to block public access to Jolokia endpoints. Only allow connections from trusted internal IP addresses or management networks.

2. Enable authentication: Configure Jolokia to require authentication by adding security constraints in your web.xml or application configuration:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Jolokia</web-resource-name>
    <url-pattern>/jolokia/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

3. Disable dangerous operations: Use Jolokia's policy configuration to restrict or deny access to the reloadByURL operation and other potentially dangerous MBean operations.

4. Disable Jolokia in production: If JMX monitoring is not required in production environments, completely disable or remove the Jolokia endpoint.

5. Update dependencies: Ensure you are using the latest versions of Jolokia and Logback with known XXE vulnerabilities patched.

References

Exploiting Spring Boot Actuators

Related Vulnerabilities

XML external entity injection via File Upload High
Common tags: XXE OOB Vulnerabilities
Oracle Weblogic T3 XXE (CVE-2019-2647) High
Common tags: XXE OOB Vulnerabilities
Oracle Business Intelligence ReportTemplateService XXE (CVE-2021-2400) High
Common tags: XXE OOB Vulnerabilities
Adobe Commerce/Magento "CosmicSting" XXE (CVE-2024-34102) Critical
Common tags: XXE OOB Vulnerabilities
OpenCms Solr XML External Entity (XXE) vulnerability High
Common tags: XXE OOB Vulnerabilities

Severity

High

Classification

CWE-611
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XXE
OOB Vulnerabilities