CVE-2022-0265 Overview
CVE-2022-0265 is an XML External Entity (XXE) vulnerability in the Hazelcast in-memory data grid platform. The flaw exists in Hazelcast version 5.1-BETA-1 and stems from improper restriction of XML external entity references [CWE-611] within the configuration XML parsing logic. An unauthenticated attacker who can supply crafted XML to a vulnerable Hazelcast instance can trigger external entity resolution. This enables file disclosure, server-side request forgery (SSRF), and denial-of-service conditions against the host. The vulnerability was reported through the Huntr bug bounty program and patched by the Hazelcast maintainers in the upstream repository.
Critical Impact
An unauthenticated network attacker can exploit the XXE flaw to read local files, perform SSRF against internal services, and disrupt Hazelcast cluster availability.
Affected Products
- Hazelcast IMDG 5.1-BETA-1
- hazelcast:hazelcast Java component (CPE: cpe:2.3:a:hazelcast:hazelcast:5.1:beta1)
- Applications embedding the vulnerable Hazelcast library for clustering or caching
Discovery Timeline
- 2022-03-03 - CVE-2022-0265 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0265
Vulnerability Analysis
The vulnerability resides in Hazelcast's XML configuration handling, specifically in AbstractXmlConfigRootTagRecognizer.java. The class uses a SAXParserFactory to parse XML configuration streams but does not disable external entity processing. Attackers who can influence the XML input processed by this recognizer can inject a DOCTYPE declaration that references an external entity. The Java XML parser then resolves the entity, fetching content from a local file path or remote URL chosen by the attacker.
The issue is classified as Improper Restriction of XML External Entity Reference [CWE-611]. Because Hazelcast often runs in clustered backend services with elevated trust and access to internal systems, successful exploitation can pivot into data exfiltration or internal network reconnaissance. The EPSS probability of 8.306% (92nd percentile) reflects elevated likelihood of exploitation attempts relative to most CVEs.
Root Cause
The root cause is the use of a default-configured SAXParserFactory without security features such as http://apache.org/xml/features/disallow-doctype-decl or XMLConstants.FEATURE_SECURE_PROCESSING. Without these flags, the parser honors DOCTYPE declarations and resolves external entities at parse time.
Attack Vector
Exploitation requires the attacker to deliver a malicious XML document to a code path that invokes the vulnerable recognizer. A typical payload defines an external entity pointing to a sensitive file (for example, file:///etc/passwd) or an internal URL, then references that entity inside the XML body to force resolution and disclosure.
// Security patch applied in AbstractXmlConfigRootTagRecognizer.java
import com.hazelcast.config.ConfigRecognizer;
import com.hazelcast.config.ConfigStream;
+import com.hazelcast.internal.util.XmlUtil;
import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.Logger;
import org.xml.sax.Attributes;
Source: Hazelcast GitHub commit 4d6b666. The patch introduces XmlUtil, a helper that configures the SAXParserFactory with XXE-hardening features before parsing untrusted input.
Detection Methods for CVE-2022-0265
Indicators of Compromise
- Outbound network connections from Hazelcast JVM processes to attacker-controlled hosts during XML configuration parsing.
- Hazelcast logs containing SAXParseException or external entity resolution errors referencing file://, http://, or ftp:// URIs.
- Unexpected reads of sensitive local files (/etc/passwd, /etc/shadow, Java keystores) by the Hazelcast service account.
Detection Strategies
- Inventory all Java applications embedding hazelcast:hazelcast and flag instances at version 5.1-BETA-1 or earlier unpatched builds.
- Inspect XML inputs processed by Hazelcast for DOCTYPE, ENTITY, or SYSTEM declarations, which are not expected in legitimate Hazelcast configuration files.
- Correlate Hazelcast process telemetry with egress firewall logs to identify XML-parser-initiated outbound requests.
Monitoring Recommendations
- Enable verbose XML parser logging in non-production environments to surface attempted entity resolution.
- Monitor file-access auditing (auditd, Sysmon FileAccess) for reads of sensitive files by the JVM running Hazelcast.
- Alert on Hazelcast pods or hosts initiating DNS lookups or HTTP requests outside their normal cluster peer set.
How to Mitigate CVE-2022-0265
Immediate Actions Required
- Upgrade Hazelcast to a release that includes the fix from commit 4d6b666cd0291abd618c3b95cdbb51aa4208e748 and avoid running the 5.1-BETA-1 build.
- Restrict network access to Hazelcast member and client ports so only trusted application tiers can reach them.
- Ensure Hazelcast configuration XML is sourced from trusted, integrity-verified locations rather than user-controlled input.
Patch Information
The Hazelcast maintainers fixed the issue by adding a helper method in XmlUtil that hardens the SAXParserFactory against XXE before parsing. The fix is committed at Hazelcast GitHub commit 4d6b666. Additional context is available in the Huntr bounty report. Upgrade to a Hazelcast release that incorporates this commit.
Workarounds
- If upgrading is not immediately feasible, run Hazelcast under a service account with minimal filesystem permissions and no access to sensitive secrets.
- Block outbound network egress from Hazelcast hosts except to required cluster peers and dependencies to neutralize SSRF and data-exfiltration payloads.
- Place Hazelcast endpoints behind authenticated reverse proxies and reject XML payloads containing DOCTYPE declarations at the proxy layer.
# Verify the installed Hazelcast version and confirm the patch is present
mvn dependency:tree | grep hazelcast
jar tf hazelcast-*.jar | grep AbstractXmlConfigRootTagRecognizer
# Compare classpath build against patched commit 4d6b666cd0291abd618c3b95cdbb51aa4208e748
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
