CVE-2021-27777
📋 TL;DR
CVE-2021-27777 is an XML External Entity (XXE) injection vulnerability in HCL Domino that allows attackers to read arbitrary files from the server filesystem. This affects HCL Domino servers with vulnerable XML parser configurations. Attackers can exploit this by submitting specially crafted XML documents to vulnerable endpoints.
💻 Affected Systems
- HCL Domino
📦 What is this software?
Unica by Hcltech
⚠️ Risk & Real-World Impact
Worst Case
Complete server filesystem disclosure including sensitive configuration files, password files, and application data leading to full system compromise.
Likely Case
Unauthorized reading of sensitive server files containing configuration data, credentials, or application data.
If Mitigated
Limited impact with proper XML parser hardening and input validation in place.
🎯 Exploit Status
XXE vulnerabilities are well-understood with readily available exploit techniques. Exploitation requires sending malicious XML to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HCL Domino 11.0.1 FP6 and 12.0.0
Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124
Restart Required: Yes
Instructions:
1. Download and install HCL Domino 11.0.1 FP6 or 12.0.0 from HCL support portal. 2. Apply the update to all affected Domino servers. 3. Restart the Domino server services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parsers to disable external entity processing
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
Input validation and sanitization
allImplement strict XML input validation and sanitization
Implement XML schema validation
Use allowlists for XML elements and attributes
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable servers from untrusted networks
- Deploy web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check Domino version using 'tell http show version' command and compare against vulnerable versions (prior to 11.0.1 FP6 or 12.0.0)Check Version:
tell http show versionVerify Fix Applied:
Verify installed version is 11.0.1 FP6 or 12.0.0+ and test XML processing endpoints with XXE payloads📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple failed XML parsing attempts
- Requests with DOCTYPE declarations in XML payloads
Network Indicators:
- HTTP requests containing XML with external entity references
- Unusual outbound connections from server following XML processing
SIEM Query:
source="domino.log" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM") AND xml