Lucee 5.4.2 and 6.0 now has anti-XXE configuration enabled by default

Zackster · July 18, 2023, 4:51pm

We have proposed for a while to enable this protection by default for 6.0, which was widely agreed to.

After some internal discussions, we decided to also make this the default for 5.4, as security shouldn’t be opt in, Lucee should be secure by default.

These changes have been implemented in

5.4.2.10-SNAPSHOT
6.0.0.514-SNAPSHOT

There will be a 5.4.2 RC and Stable release in the coming weeks

What’s a XXE you ask?

https://foundeo.com/security/guide/xml-external-entities/

A little example for our test cases, see that url? It will be called and bad actors can abuse it to compromise your server, just by parsing some xml

github.com

lucee/Lucee/blob/6.0/test/tickets/LDEV1676/LDEV1676.cfm#L6


      
          <cfsavecontent variable="xml"><?xml version="1.0" encoding="ISO-8859-1"?>

          	<cfif form.docType>

          		<!DOCTYPE foo [

          		<!ELEMENT foo ANY >

          		<cfif FORM.entity>

          			<!ENTITY xxe SYSTEM "http://update.lucee.org/rest/update/provider/echoGet/cgi" >

          		</cfif>

          		]>

          	</cfif>

          	<cfif form.entity>

          		<foo>&xxe;</foo>

          	<cfelse>

          		<foo>lucee</foo>

          	</cfif>

          </cfsavecontent>

          <cfscript>

Tickets

You can always change this default per application via the Application.cfc settings

this.xmlFeatures = {
	"externalGeneralEntities": false,
	"secure": true,
	"disallowDoctypeDecl": false
};

To override for a specific use case with trusted xml, you can do the following

application action="update" xmlFeatures={
	"externalGeneralEntities": true,
	"secure": false,
	"disallowDoctypeDecl": false
};

xml = xmlParse( trustedXml );

application action="update" xmlFeatures={
	"externalGeneralEntities": false,
	"secure": true,
	"disallowDoctypeDecl": true
};

Important upgrade advice

Support for this.xmlFeatures was introduced in 5.3.4.51

LDEV-1676 Expose XML Parser Configuration to prevent XXE

All applications should have this enabled via the Application.cfc if you’re running an older version of Lucee than 5.3.4, consider yourself potentially vulnerable and plan to upgrade immediately

The Lucee team recommends everyone upgrading to 5.4.1.80, as we have being doing a lot of work to update all the underlying java libraries to make Lucee as secure as possible.

Supporting Lucee

Do you find these updates and advice useful? Please support our on going work

pfreitag · July 18, 2023, 5:26pm

Great move, thanks Zac!

–
Pete Freitag
Foundeo Inc.

justincarter · July 19, 2023, 7:55am

The latest Docker images for 5.4.x are also largely CVE free now (as of earlier this month). Definitely give them a try and if you have issues let us know.

The official Tomcat Docker images that we used as a base have transitioned away from Debian towards Ubuntu (22.04), and away from the OpenJDK builds of Java to Eclipse Temurin (which are themselves based on OpenJDK). This may present minor incompatibilities when upgrading from 5.3.x to 5.4.x mostly due to the underlying OS change. I wouldn’t expect any Java issues, although we did switch the default from the JDK to the JRE so that the default images would be smaller, but we will add JDK builds again soon for those who need them.

Zackster · July 19, 2023, 7:58am

Zackster · July 19, 2023, 4:28pm

I was asked about the application action="update" approach putting other requests at risk when used over on slack.

It’s good question, i had the same concern, but it turns out not to be a problem

Each request has it’s own snapshot of the application settings, while application scope variables are of course shared between requests, but you can always do conditional logic per request in the constructor of the application.cfc and it doesn’t affect other requests

a quick demo (use 5.4.2.11-SNAPSHOT) is attached

open the normal.cfm which runs a loop with sleep, dumping out getApplicationSettings().xmlfeatures
while that’s looping and dumping out the settings, then call the unsafe.cfm which changes the xmlfeatures to be unsafe

nothing changes in the normal.cfm request!

xxe.zip (1014 Bytes)

Zackster · July 21, 2023, 7:06pm

I have gone back and got the builds working for 5.3.9, 5.3.8 and 5.3.7

I know some people are still running these older versions, so I have backported this change

5.3.9.172-SNAPSHOT
5.3.8.236-SNAPSHOT
5.3.7.58-SNAPSHOT

https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.3.9.172
https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.3.8.236
https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.3.7.58

There are additional fixes in these SNAPSHOT since the last STABLE, they have been used in production, but as always you will need to test these builds yourself.

There will be no RC or STABLE releases for these older versions, you really should be upgrading to 5.4.2

andreas · July 22, 2023, 10:03am

Wooohooo! Thanks @Zackster! Nice to see the Lucee Team taking such actions about securtiy. Really appreciate the commitment!

andreas · July 22, 2023, 4:44pm

For all who still don’t know, there is an default Application.cfc template in cfscript in the Lucee documentation.

Thanks to @Roberto_Marzialetti now we have the new and important anti-XXE settings added with his Pull Request there too!!! Nice move! Great contribution!!!

Zackster · July 27, 2023, 1:06pm