OpenCms Chemistry XML External Entity (XXE) vulnerability (CVE-2023-42344)
Description
OpenCms versions prior to the patched release contain an XML External Entity (XXE) vulnerability in the Apache Chemistry component. This flaw allows unauthenticated attackers to process malicious XML input, enabling them to read arbitrary files from the server's file system, perform server-side request forgery (SSRF) attacks against internal network resources, or cause denial-of-service conditions. The vulnerability exists due to improper configuration of XML parsers that fail to disable external entity processing.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade OpenCms immediately: Update to OpenCms version 15.0.2, 16.0.1, or later, which contain patches for CVE-2023-42344. Consult the official OpenCms release notes for your specific version branch.
2. Verify the patch: After upgrading, confirm that XML external entity processing is properly disabled in the Apache Chemistry configuration.
3. Temporary mitigation (if immediate upgrade is not possible): Configure XML parsers to disable external entity processing and DTD resolution. For Java-based XML parsers, apply the following settings:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);4. Network-level controls: Implement web application firewall (WAF) rules to detect and block suspicious XML payloads containing DOCTYPE declarations or external entity references.
5. Post-remediation validation: Test the application to ensure XXE attacks are blocked and normal functionality remains intact.