CVE-2022-28890 Overview
A critical XML External Entity (XXE) vulnerability exists in the RDF/XML parser of Apache Jena that allows an attacker to cause an external DTD to be retrieved. This vulnerability affects Apache Jena version 4.4.0 and prior versions. Notably, Apache Jena versions 4.2.x and 4.3.x do not allow external entities, indicating a regression in the security posture of version 4.4.0.
Critical Impact
Attackers can exploit this XXE vulnerability to retrieve external DTDs, potentially leading to server-side request forgery (SSRF), information disclosure, or denial of service attacks against systems processing untrusted RDF/XML input.
Affected Products
- Apache Jena version 4.4.0
- Apache Jena versions prior to 4.2.x
- Systems using vulnerable Apache Jena RDF/XML parsing functionality
Discovery Timeline
- 2022-05-05 - CVE CVE-2022-28890 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-28890
Vulnerability Analysis
This vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference), commonly known as an XXE vulnerability. The flaw resides in the RDF/XML parser component of Apache Jena, which fails to properly restrict the processing of external Document Type Definitions (DTDs).
When the RDF/XML parser processes XML input containing a malicious DTD declaration, it will attempt to retrieve the external entity specified in the declaration. This behavior can be exploited by an attacker who can supply or manipulate RDF/XML input to the vulnerable application.
The vulnerability is particularly concerning because Apache Jena is widely used in semantic web applications and linked data platforms for processing RDF data. Applications that accept RDF/XML input from untrusted sources are at risk.
Root Cause
The root cause of this vulnerability is the improper configuration of the XML parser used by the RDF/XML component in Apache Jena 4.4.0. The parser does not adequately restrict the processing of external entities and DTDs, allowing attackers to reference external resources.
This represents a security regression, as versions 4.2.x and 4.3.x properly restricted external entities. The vulnerability was reintroduced in version 4.4.0, likely due to changes in the XML parsing configuration or the underlying parsing library usage.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by submitting specially crafted RDF/XML content to an application using the vulnerable Apache Jena parser. The malicious XML would include a DOCTYPE declaration referencing an external DTD controlled by the attacker.
When the vulnerable parser processes this input, it will make an outbound request to retrieve the external DTD. This can be leveraged for various attacks including reading local files (if file:// URIs are permitted), conducting SSRF attacks against internal network resources, or causing denial of service through billion laughs or other XML-based resource exhaustion attacks.
Detection Methods for CVE-2022-28890
Indicators of Compromise
- Unusual outbound network connections from servers running Apache Jena applications to external hosts
- XML parser errors in application logs referencing external DTD retrieval failures
- Unexpected file access attempts from web application processes
- HTTP requests containing DOCTYPE declarations with external SYSTEM or PUBLIC identifiers in RDF/XML payloads
Detection Strategies
- Monitor web application firewall (WAF) logs for RDF/XML requests containing DOCTYPE declarations with external entity references
- Implement network-level detection for outbound connections originating from application servers to unexpected destinations
- Review application logs for XML parsing exceptions related to external entity resolution
- Deploy intrusion detection signatures for common XXE payload patterns in HTTP traffic
Monitoring Recommendations
- Enable detailed logging for all RDF/XML parsing operations in Apache Jena applications
- Configure network monitoring to alert on outbound DNS lookups or HTTP requests from application tier to untrusted destinations
- Implement file integrity monitoring on sensitive configuration files that could be targeted via XXE attacks
- Set up alerts for unusual process behavior from Java applications utilizing Apache Jena
How to Mitigate CVE-2022-28890
Immediate Actions Required
- Upgrade Apache Jena to a patched version that properly restricts external entity processing
- Implement input validation to reject RDF/XML input containing DOCTYPE declarations
- Configure XML parsers to disable external entity and DTD processing at the application level
- Apply network segmentation to limit outbound connectivity from application servers
Patch Information
Apache has addressed this vulnerability in subsequent releases. Organizations should upgrade to a version of Apache Jena that includes the fix for this XXE vulnerability. Refer to the Apache Mailing List Thread for detailed patch information and official guidance from the Apache Jena project.
If running version 4.2.x or 4.3.x, those versions are not affected by this specific vulnerability according to the advisory, though upgrading to the latest stable release is still recommended for comprehensive security coverage.
Workarounds
- If upgrading is not immediately possible, configure the underlying XML parser to disable external entity processing by setting appropriate parser features
- Implement a sanitization layer that strips DOCTYPE declarations from incoming RDF/XML before passing to the Jena parser
- Use RDF formats other than RDF/XML (such as Turtle or JSON-LD) that do not have XXE attack surface
- Deploy a web application firewall with rules to block requests containing potential XXE payloads
# Configuration example for disabling XXE in Java XML parsers
# Add these JVM system properties to your application startup
-Djavax.xml.accessExternalDTD=""
-Djavax.xml.accessExternalSchema=""
-Djavax.xml.accessExternalStylesheet=""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
