CVE-2020-11988
📋 TL;DR
Apache XmlGraphics Commons versions 2.4 and earlier contain a server-side request forgery (SSRF) vulnerability in the XMPParser component. Attackers can exploit this by providing specially-crafted input to make the server perform arbitrary GET requests to internal or external systems. This affects any application using vulnerable versions of Apache XmlGraphics Commons to process XML metadata.
💻 Affected Systems
- Apache XmlGraphics Commons
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through internal service enumeration, data exfiltration via internal network requests, or exploitation of other vulnerabilities in internal services.
Likely Case
Information disclosure from internal services, port scanning of internal networks, or limited data exfiltration from accessible internal endpoints.
If Mitigated
Limited impact if network segmentation restricts outbound requests and input validation filters malicious payloads before processing.
🎯 Exploit Status
Exploitation requires attacker to control input to XMPParser, but no authentication is needed if the vulnerable endpoint is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6 or later
Vendor Advisory: https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E
Restart Required: Yes
Instructions:
1. Identify all applications using Apache XmlGraphics Commons. 2. Upgrade dependency to version 2.6 or later. 3. Update application configuration if needed. 4. Restart affected services. 5. Test functionality after upgrade.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to reject or sanitize XML metadata containing suspicious URLs or SSRF payloads before processing by XMPParser.
Network Outbound Restrictions
linuxConfigure firewall rules to restrict outbound HTTP/HTTPS requests from affected servers to only necessary external services.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate affected systems from sensitive internal services.
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in XML input.
🔍 How to Verify
Check if Vulnerable:
Check dependency manifest or build configuration for Apache XmlGraphics Commons version 2.4 or earlier.Check Version:
Check Maven pom.xml: grep -i 'xmlgraphics-commons' pom.xml; or check Java classpath: java -cp "*" org.apache.xmlgraphics.VersionVerify Fix Applied:
Confirm Apache XmlGraphics Commons version is 2.6 or later in dependency files and runtime classpath.📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound HTTP requests from server process
- XML parsing errors with URL-like content
- Requests to internal IP addresses from server
Network Indicators:
- HTTP GET requests from server to unusual external domains
- Port scanning patterns originating from server
SIEM Query:
source="server_logs" AND (url="*://169.254.*" OR url="*://10.*" OR url="*://192.168.*" OR url="*://172.16.*")🔗 References
- https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://xmlgraphics.apache.org/security.html
- https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://xmlgraphics.apache.org/security.html
