OpenCms Chemistry Solr XML External Entity (XXE) vulnerability (CVE-2023-42346)
Description
OpenCms versions prior to the patched release contain an XML External Entity (XXE) vulnerability in the Apache Solr component of Apache Chemistry. This flaw occurs when the application processes untrusted XML input without properly disabling external entity resolution, allowing attackers to send specially crafted XML payloads that reference external entities. Successful exploitation enables unauthorized file system access, server-side request forgery (SSRF), and denial-of-service conditions.
Remediation
Apply the following remediation steps to address this vulnerability:
1. Upgrade OpenCms: Update to OpenCms version 15.0.1 or later, which includes patches for CVE-2023-42346. Review the official OpenCms security advisories for specific version requirements.
2. Verify XML Parser Configuration: If immediate upgrading is not possible, ensure XML parsers are configured to disable external entity processing. For Java-based XML parsers, apply the following secure configuration:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);3. Implement Input Validation: Validate and sanitize all XML input before processing, rejecting documents containing DOCTYPE declarations or external entity references.
4. Apply Network Segmentation: Restrict the application's ability to make outbound connections to only necessary services, limiting the impact of potential SSRF attacks.