CVE-2020-10992 – CVE-2020-10992 is an XML External Entity (XXE) ... (How to Fix)

Q: What is the severity of CVE-2020-10992?

CVE-2020-10992 has a CVSS score of 9.8 (CRITICAL). CVE-2020-10992 is an XML External Entity (XXE) vulnerability in Azkaban workflow scheduler that allows attackers to read arbitrary files from the server filesystem. This affects all Azkaban installations through version 3.84.0 that process XML configuration files. Attackers can potentially access sensitive data including configuration files, credentials, and system files.

📋 TL;DR

CVE-2020-10992 is an XML External Entity (XXE) vulnerability in Azkaban workflow scheduler that allows attackers to read arbitrary files from the server filesystem. This affects all Azkaban installations through version 3.84.0 that process XML configuration files. Attackers can potentially access sensitive data including configuration files, credentials, and system files.

💻 Affected Systems

Products:

Azkaban

Versions: through 3.84.0

Operating Systems: All operating systems running Azkaban

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in XmlValidatorManager.java and XmlUserManager.java components that process XML configuration files.

📦 What is this software?

Azkaban by Azkaban Project

View all CVEs affecting Azkaban →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure leading to credential theft, lateral movement, and potential remote code execution via disclosed sensitive files.

🟠

Likely Case

Unauthorized access to sensitive configuration files, database credentials, SSH keys, and other system files stored on the Azkaban server.

🟢

If Mitigated

Limited impact if XML parsing is disabled or external entity processing is blocked at the network/application level.

🌐 Internet-Facing: HIGH - Azkaban instances exposed to the internet are directly vulnerable to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploitation tools. The vulnerability requires XML file processing but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.85.0 and later

Vendor Advisory: https://github.com/azkaban/azkaban/issues/2478

Restart Required: Yes

Instructions:

1. Upgrade Azkaban to version 3.85.0 or later. 2. Replace vulnerable XmlValidatorManager.java and XmlUserManager.java files. 3. Restart Azkaban services. 4. Verify XML parsing now disallows external entities.

🔧 Temporary Workarounds

Disable External Entity Processing

all

Configure XML parsers to disallow external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input Validation Filter

all

Implement input filtering to block XML files containing external entity declarations

Add regex filter: /<!ENTITY\s+.*SYSTEM\s+.*>/i

🧯 If You Can't Patch

Implement network segmentation to isolate Azkaban instances from sensitive systems
Deploy web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check Azkaban version: grep -r 'azkaban.version' /path/to/azkaban/conf/azkaban.properties

Check Version:

cat /path/to/azkaban/conf/azkaban.properties | grep azkaban.version

Verify Fix Applied:

Test XML file upload with external entity declaration; should be rejected or processed without entity resolution

📡 Detection & Monitoring

Log Indicators:

XML parsing errors mentioning external entities
Unusual file access patterns from Azkaban processes
Large XML file uploads to configuration endpoints

Network Indicators:

HTTP requests with XML payloads containing ENTITY declarations
Outbound connections from Azkaban to unexpected external systems

SIEM Query:

source="azkaban.log" AND ("ENTITY" OR "SYSTEM" OR "DOCTYPE")

📊 Metadata

CVE ID: CVE-2020-10992

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: March 27, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/azkaban/azkaban/issues/2478 Exploit,Third Party Advisory
https://github.com/azkaban/azkaban/issues/2478 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10992, you might also want to check these: