CVE-2020-6958 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2020-6958?

CVE-2020-6958 has a CVSS score of 9.1 (CRITICAL). This CVE describes an XML External Entity (XXE) vulnerability in JnlpSupport within Yet Another Java Service Wrapper (YAJSW) version 12.14. It allows attackers to read files from remote hosts and potentially cause denial-of-service by parsing malicious XML. This affects systems running NSA Ghidra and other products that use YAJSW 12.14.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in JnlpSupport within Yet Another Java Service Wrapper (YAJSW) version 12.14. It allows attackers to read files from remote hosts and potentially cause denial-of-service by parsing malicious XML. This affects systems running NSA Ghidra and other products that use YAJSW 12.14.

💻 Affected Systems

Products:

Yet Another Java Service Wrapper (YAJSW)
NSA Ghidra

Versions: YAJSW 12.14

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any product using YAJSW 12.14 with JnlpSupport enabled.

📦 What is this software?

Yet Another Java Service Wrapper by Yet Another Java Service Wrapper Project

View all CVEs affecting Yet Another Java Service Wrapper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can exfiltrate sensitive files from the server, including configuration files, credentials, and system files, potentially leading to complete system compromise.

🟠

Likely Case

Data exfiltration from vulnerable servers, potentially exposing sensitive information stored on the system.

🟢

If Mitigated

Limited impact if proper network segmentation and input validation are in place, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Internet-facing systems are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require attacker access to the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists demonstrating file exfiltration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: YAJSW versions after 12.14

Vendor Advisory: https://sourceforge.net/p/yajsw/bugs/166/

Restart Required: Yes

Instructions:

1. Upgrade YAJSW to a version after 12.14. 2. Update any dependent applications like Ghidra. 3. Restart affected services.

🔧 Temporary Workarounds

Disable JnlpSupport

all

Disable the vulnerable JnlpSupport feature if not required.

Modify YAJSW configuration to set jnlp.support.enabled=false

XML Parser Hardening

all

Configure XML parsers to disable external entity resolution.

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy web application firewall (WAF) rules to block XXE payloads

🔍 How to Verify

Check if Vulnerable:

Check YAJSW version: grep 'version' in YAJSW configuration files or check installed package version.

Check Version:

java -jar yajsw.jar -v (or check wrapper.conf for version)

Verify Fix Applied:

Verify YAJSW version is greater than 12.14 and test with XXE payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
File access attempts via XML entities
Outbound connections to external entities

Network Indicators:

HTTP requests with XML payloads containing external entity references
Outbound connections to unexpected external hosts

SIEM Query:

source="*yajsw*" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")

📊 Metadata

CVE ID: CVE-2020-6958

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-611

Published: January 14, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/NationalSecurityAgency/ghidra/issues/943 Exploit,Third Party Advisory
https://github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.md Third Party Advisory
https://sourceforge.net/p/yajsw/bugs/166/ Exploit,Third Party Advisory
https://github.com/NationalSecurityAgency/ghidra/issues/943 Exploit,Third Party Advisory
https://github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.md Third Party Advisory
https://sourceforge.net/p/yajsw/bugs/166/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6958, you might also want to check these: