CVE-2021-1628
📋 TL;DR
CVE-2021-1628 is an XML External Entity (XXE) vulnerability in Mule runtime that allows attackers to read arbitrary files from the server or perform server-side request forgery (SSRF). This affects MuleSoft customers using Mule 4.x runtime versions released before February 2, 2021, in both CloudHub and on-premise deployments.
💻 Affected Systems
- Mule Runtime
- MuleSoft Anypoint Platform
📦 What is this software?
Mule by Salesforce
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including sensitive file disclosure, internal network reconnaissance, and potential remote code execution through XXE-based attacks.
Likely Case
Unauthorized access to sensitive files (configuration files, credentials, source code) and potential SSRF attacks against internal services.
If Mitigated
Limited impact with proper XML parser hardening and network segmentation preventing file access and SSRF.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit examples. Exploitation typically requires sending malicious XML payloads to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Mule 4.x runtime versions released on or after February 2, 2021
Vendor Advisory: https://help.salesforce.com/articleView?id=000357384&type=1&mode=1
Restart Required: Yes
Instructions:
1. Upgrade to Mule 4.x runtime version released on or after February 2, 2021. 2. Update all Mule applications to use the patched runtime. 3. Restart Mule runtime instances. 4. Verify no applications are using vulnerable XML parsers.
🔧 Temporary Workarounds
XML Parser Hardening
allConfigure XML parsers to disable external entity processing and DTD processing
Configure XMLInputFactory properties: XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES = false
Set XMLInputFactory.SUPPORT_DTD = false
Use secure XML parser configurations in Mule configuration files
Input Validation
allImplement XML schema validation and input filtering for XML endpoints
Add XML schema validation to all XML processing endpoints
Implement input filtering to reject XML containing DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to isolate Mule runtime from sensitive internal systems
- Deploy web application firewall (WAF) with XXE protection rules to block malicious XML payloads
🔍 How to Verify
Check if Vulnerable:
Check Mule runtime version: If using Mule 4.x version released before February 2, 2021, the system is vulnerable. Test with XXE payloads against XML endpoints.Check Version:
Check Mule runtime version in Anypoint Runtime Manager or via Mule CLI: mule -versionVerify Fix Applied:
Verify Mule runtime version is February 2, 2021 or later. Test XML endpoints with XXE payloads to confirm they are rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors containing 'DOCTYPE' or 'ENTITY'
- Unusual file access patterns from Mule runtime process
- HTTP requests to internal resources from Mule runtime
Network Indicators:
- XML payloads containing external entity references in HTTP requests
- Outbound connections from Mule runtime to unexpected internal services
SIEM Query:
source="mule-runtime" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")