Login Sign Up

CVE-2021-23926

9.1 CRITICAL
Denial of Service XXE

📋 TL;DR

This vulnerability in XMLBeans XML parsers allows attackers to perform XML Entity Expansion (XXE) attacks by submitting malicious XML input. It affects all applications using XMLBeans up to version 2.6.0 for XML processing. Successful exploitation could lead to denial of service or information disclosure.

💻 Affected Systems

Products:
  • Apache XMLBeans
  • Apache POI (uses XMLBeans)
  • Apache Axis
  • Any application using XMLBeans library
Versions: All versions up to and including 2.6.0
Operating Systems: All operating systems running Java applications
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default XML parser configuration. Applications must explicitly set secure properties to mitigate.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Middleware Common Libraries And Tools by Oracle

View all CVEs affecting Middleware Common Libraries And Tools →

Middleware Common Libraries And Tools by Oracle

View all CVEs affecting Middleware Common Libraries And Tools →

Oncommand Unified Manager Core Package by Netapp

View all CVEs affecting Oncommand Unified Manager Core Package →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Snap Creator Framework by Netapp

View all CVEs affecting Snap Creator Framework →

Snapmanager by Netapp

View all CVEs affecting Snapmanager →

Snapmanager by Netapp

View all CVEs affecting Snapmanager →

Xmlbeans by Apache

View all CVEs affecting Xmlbeans →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system denial of service through resource exhaustion (billion laughs attack) or potential information disclosure via external entity references.

🟠

Likely Case

Application denial of service causing service disruption and potential data loss.

🟢

If Mitigated

Limited impact with proper XML parser configuration and input validation in place.

🌐 Internet-Facing: HIGH - XML parsing is commonly exposed in web services and APIs that accept XML input.
🏢 Internal Only: MEDIUM - Internal applications processing XML from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE attacks are well-documented and easy to implement. No authentication required if XML input is accepted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XMLBeans 2.6.1 and later

Vendor Advisory: https://issues.apache.org/jira/browse/XMLBEANS-517

Restart Required: Yes

Instructions:

1. Update XMLBeans dependency to version 2.6.1 or later. 2. Update pom.xml or build.gradle to reference fixed version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Configure XML parser securely

all

Manually set secure processing features on XML parsers before use

// Java code: XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);

Input validation and filtering

all

Reject XML containing DOCTYPE declarations or external entity references

// Java code: if (xml.contains("<!DOCTYPE") || xml.contains("<!ENTITY")) {
    throw new SecurityException("Malicious XML detected");
}

🧯 If You Can't Patch

  • Implement network segmentation to isolate XML processing services
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for XMLBeans version ≤2.6.0. For Maven: mvn dependency:tree | grep xmlbeans

Check Version:

mvn dependency:tree | grep -i xmlbeans  OR  find . -name "*.jar" -exec jar tf {} \; | grep xmlbeans

Verify Fix Applied:

Confirm XMLBeans version ≥2.6.1 in dependencies and test with malicious XML containing entity expansion

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory consumption spikes during XML processing
  • XML parsing errors containing entity references
  • Repeated XML parsing failures

Network Indicators:

  • Large XML payloads with repeated entity patterns
  • XML containing !DOCTYPE or !ENTITY declarations

SIEM Query:

source="application.log" AND ("OutOfMemoryError" OR "XML parsing error") AND process="java"

📊 Metadata

CVE ID: CVE-2021-23926
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-776
Published: January 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23926, you might also want to check these:

CVE-2019-19144 9.8

This CVE describes an XML External Entity (XXE) injection vulnerability in Quantum DXi6702 backup ap...

Same vulnerability type (CWE-776)
CVE-2021-32623 8.1

CVE-2021-32623 is a billion laughs attack vulnerability in Opencast that allows authenticated users ...

Same vulnerability type (CWE-776)
CVE-2022-26662 7.5

This CVE describes an XML Entity Expansion (XEE) vulnerability in Tryton Application Platform that a...

Same vulnerability type (CWE-776)