CVE-2017-12621
📋 TL;DR
This vulnerability allows XML External Entity (XXE) attacks in Apache Commons Jelly when parsing Jelly XML files with custom doctype entities. Attackers can force the parser to make unauthorized network connections to external URLs, potentially leading to data exfiltration or server-side request forgery. Systems using Apache Commons Jelly versions before 1.0.1 are affected.
💻 Affected Systems
- Apache Commons Jelly
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through SSRF leading to internal network reconnaissance, data exfiltration, or remote code execution via file inclusion.
Likely Case
Information disclosure through outbound HTTP requests to attacker-controlled servers, potentially exposing internal network details or sensitive data.
If Mitigated
Limited impact with proper network segmentation and egress filtering preventing external connections.
🎯 Exploit Status
Exploitation requires the ability to supply malicious Jelly XML files to the parser. XXE attacks are well-documented and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Commons Jelly 1.0.1
Vendor Advisory: https://issues.apache.org/jira/browse/JELLY-293
Restart Required: Yes
Instructions:
1. Upgrade to Apache Commons Jelly 1.0.1 or later. 2. Update all dependencies to use the patched version. 3. Restart affected applications.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to disable external entity resolution
Set FEATURE_SECURE_PROCESSING to true in XML parser configuration
Disable DOCTYPE declarations in parser settings
Input validation and sanitization
allValidate and sanitize all Jelly XML input before parsing
Implement XML schema validation
Use whitelisting for allowed XML elements
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent outbound connections from affected systems
- Deploy web application firewall with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check if application uses Apache Commons Jelly version <1.0.1 and parses untrusted Jelly XML files.Check Version:
Check Maven/Gradle dependencies or examine JAR manifest: jelly-core-*.jarVerify Fix Applied:
Verify Apache Commons Jelly version is 1.0.1 or later in dependencies and test with malicious XXE payloads.📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound HTTP requests from application servers
- XML parsing errors with external entity references
- Failed network connections to unusual external domains
Network Indicators:
- Outbound HTTP requests to suspicious domains from application servers
- DNS queries for unusual domains during XML processing
SIEM Query:
source="application-server" AND (http_outbound OR dns_query) AND (xml OR jelly OR xerces) AND NOT whitelisted_domain🔗 References
- http://www.securityfocus.com/bid/101052
- http://www.securitytracker.com/id/1039444
- https://issues.apache.org/jira/browse/JELLY-293
- https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E
- http://www.securityfocus.com/bid/101052
- http://www.securitytracker.com/id/1039444
- https://issues.apache.org/jira/browse/JELLY-293
- https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E
