CVE-2024-28168 Overview
CVE-2024-28168 is an XML External Entity (XXE) vulnerability in Apache XML Graphics Formatting Objects Processor (FOP) version 2.9. The flaw allows remote attackers to abuse XML parsing to read sensitive files, perform Server-Side Request Forgery (SSRF), or exfiltrate data from systems that process attacker-controlled XSL-FO or XML documents. The vulnerability is classified under [CWE-611] (Improper Restriction of XML External Entity Reference).
Apache addressed the issue in FOP version 2.10. Administrators using version 2.9 should upgrade immediately to remove the external entity processing risk.
Critical Impact
Remote, unauthenticated attackers can exploit XXE to disclose file contents and internal network resources from systems running Apache FOP 2.9.
Affected Products
- Apache XML Graphics FOP 2.9
- Applications embedding apache:formatting_objects_processor 2.9 for PDF or print rendering
- Document pipelines that pass untrusted XML or XSL-FO into Apache FOP 2.9
Discovery Timeline
- 2024-10-09 - CVE-2024-28168 published to NVD
- 2025-07-16 - Last updated in NVD database
Technical Details for CVE-2024-28168
Vulnerability Analysis
Apache FOP converts XSL-FO documents into output formats such as PDF, PostScript, and PNG. Version 2.9 fails to adequately restrict external entity resolution during XML parsing. When FOP processes an attacker-supplied document, the underlying XML parser resolves external entities referenced in the document type declaration.
An attacker can declare an entity that points to a local file path or a remote URL. The parser fetches the resource and embeds its contents in the parsed document. Depending on how the calling application surfaces FOP output or errors, the attacker can read sensitive files such as /etc/passwd, retrieve internal HTTP endpoints, or trigger out-of-band data exfiltration.
The vulnerability does not require authentication or user interaction when reachable through a network-facing document conversion service. Confidentiality is directly impacted, while integrity and availability remain unaffected.
Root Cause
The root cause is the absence of secure XML parser configuration in Apache FOP 2.9. The parser permits DOCTYPE declarations and resolves both SYSTEM and parameter entities by default. No explicit disabling of external entities or external DTDs is enforced before document processing.
Attack Vector
Exploitation requires only the ability to submit XML or XSL-FO content to an application that hands it to FOP for rendering. The attacker crafts a document containing an external entity declaration that references a local file or remote endpoint. When FOP parses the document, the parser dereferences the entity and the content becomes available to the attacker through the rendered output, error messages, or out-of-band channels such as DNS or HTTP requests to attacker-controlled infrastructure.
No verified public proof-of-concept code is available. Refer to the Apache XMLGraphics Security Overview and the OpenWall OSS Security Discussion for technical details.
Detection Methods for CVE-2024-28168
Indicators of Compromise
- Inbound XML or XSL-FO documents containing <!DOCTYPE> declarations with SYSTEM or PUBLIC external references
- Outbound network connections from FOP processing hosts to unexpected internal IP ranges or external domains during document conversion
- File access attempts from the FOP process to sensitive paths such as /etc/passwd, /proc/self/environ, or Windows configuration files
- Unusual DNS lookups originating from servers running Apache FOP 2.9
Detection Strategies
- Inspect XML payloads at the application layer for DOCTYPE, ENTITY, and SYSTEM keywords before they reach the parser
- Monitor process telemetry from Java application servers hosting FOP for unexpected file reads or network connections
- Correlate document submission events with subsequent outbound HTTP or DNS activity that completes within the conversion window
Monitoring Recommendations
- Enable verbose logging on the FOP wrapper application to capture parsed document metadata and entity resolution errors
- Forward Java process audit logs to a central data lake and build identifications for entity resolution failures and SSRF-style outbound traffic
- Alert on any FOP host establishing connections to cloud metadata endpoints such as 169.254.169.254
How to Mitigate CVE-2024-28168
Immediate Actions Required
- Upgrade Apache XML Graphics FOP to version 2.10 or later on all hosts and embedded deployments
- Audit application dependencies and build artifacts for transitive inclusion of FOP 2.9
- Restrict network egress from servers running document conversion services to block opportunistic SSRF and data exfiltration
Patch Information
Apache released FOP 2.10 to address CVE-2024-28168. The fix disables external entity resolution in the XML parsers used by FOP. Review the Apache XMLGraphics Security Overview for upgrade guidance and verify the runtime version reported by your application after deployment.
Workarounds
- Configure the calling application to pre-process XML input and strip DOCTYPE declarations before invoking FOP
- Run FOP in an isolated environment without access to sensitive files or internal network resources
- Apply egress filtering to block the FOP host from contacting arbitrary external systems during document rendering
# Configuration example: harden the XML parser used by the host application
# Java system properties to disable external DTDs and entities at JVM startup
java \
-Djavax.xml.accessExternalDTD="" \
-Djavax.xml.accessExternalSchema="" \
-Djavax.xml.accessExternalStylesheet="" \
-jar your-fop-application.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
