CVE-2019-13990
📋 TL;DR
CVE-2019-13990 is an XML External Entity (XXE) vulnerability in Terracotta Quartz Scheduler that allows attackers to read arbitrary files from the server filesystem or conduct server-side request forgery attacks. This affects all systems using Quartz Scheduler versions through 2.3.0 that process XML job descriptions. The vulnerability is particularly dangerous because it can be exploited via job descriptions submitted to the scheduler.
💻 Affected Systems
- Terracotta Quartz Scheduler
📦 What is this software?
Banking Enterprise Product Manufacturing by Oracle
View all CVEs affecting Banking Enterprise Product Manufacturing →
Banking Enterprise Product Manufacturing by Oracle
View all CVEs affecting Banking Enterprise Product Manufacturing →
Communications Ip Service Activator by Oracle
View all CVEs affecting Communications Ip Service Activator →
Communications Ip Service Activator by Oracle
View all CVEs affecting Communications Ip Service Activator →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Customer Management And Segmentation Foundation →
Documaker by Oracle
Enterprise Manager Base Platform by Oracle
Hyperion Infrastructure Technology by Oracle
View all CVEs affecting Hyperion Infrastructure Technology →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
Quartz by Softwareag
Terracotta Quartz Scheduler Mapviewer by Oracle
View all CVEs affecting Terracotta Quartz Scheduler Mapviewer →
Terracotta Quartz Scheduler Mapviewer by Oracle
View all CVEs affecting Terracotta Quartz Scheduler Mapviewer →
Terracotta Quartz Scheduler Mapviewer by Oracle
View all CVEs affecting Terracotta Quartz Scheduler Mapviewer →
Tomee by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through file disclosure of sensitive data (passwords, keys, configuration files) and potential remote code execution via SSRF leading to complete system takeover.
Likely Case
Unauthorized file read access to sensitive server files, potentially exposing credentials, configuration data, or other sensitive information stored on the server.
If Mitigated
Limited impact with proper network segmentation and file system permissions, though sensitive data exposure remains possible.
🎯 Exploit Status
Exploitation requires the ability to submit XML job descriptions to the scheduler. Public proof-of-concept code exists in GitHub issues and security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.3.1 and later
Vendor Advisory: https://github.com/quartz-scheduler/quartz/issues/467
Restart Required: Yes
Instructions:
1. Upgrade Quartz Scheduler to version 2.3.1 or later. 2. Update your project dependencies to use the patched version. 3. Restart your application server. 4. Verify that XXE protection is enabled in XML parsing configurations.
🔧 Temporary Workarounds
Disable XXE in XML parsing
allConfigure XML parsers to disable external entity processing
Set XML parser properties: FEATURE_SECURE_PROCESSING = true, http://apache.org/xml/features/disallow-doctype-decl = true, http://xml.org/sax/features/external-general-entities = false, http://xml.org/sax/features/external-parameter-entities = false
Input validation and sanitization
allValidate and sanitize XML input before processing
Implement XML schema validation, Remove DOCTYPE declarations from input, Use whitelists for allowed XML elements
🧯 If You Can't Patch
- Implement network segmentation to isolate Quartz Scheduler instances from sensitive systems
- Deploy web application firewall (WAF) rules to block XXE payloads in XML input
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for Quartz Scheduler version. Versions <= 2.3.0 are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep quartz, For Gradle: gradle dependencies | grep quartz, Or check: System.getProperty("org.quartz.version")Verify Fix Applied:
Verify that Quartz Scheduler version is 2.3.1 or higher and test XML parsing with XXE payloads to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors mentioning external entities
- Unexpected file read operations in system logs
- HTTP requests to internal resources from Quartz processes
Network Indicators:
- Outbound connections from Quartz to unexpected internal services
- Large XML payloads containing DOCTYPE declarations
SIEM Query:
source="*quartz*" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")🔗 References
- https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
- https://github.com/quartz-scheduler/quartz/issues/467
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20221028-0002/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
- https://github.com/quartz-scheduler/quartz/issues/467
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20221028-0002/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
