CVE-2021-41411
📋 TL;DR
This XML External Entity (XXE) vulnerability in Drools allows attackers to read arbitrary files from the server filesystem or perform server-side request forgery (SSRF) attacks. It affects all Drools users who process untrusted XML content through the vulnerable KieModuleMarshaller component. The vulnerability stems from improper XML parsing configuration that fails to disable external entity resolution.
💻 Affected Systems
- Drools Business Rules Management System
📦 What is this software?
Drools by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data (passwords, keys, configuration files) leading to lateral movement, data exfiltration, or remote code execution via SSRF to internal services.
Likely Case
Unauthorized file system access allowing reading of application configuration files, source code, or sensitive data stored on the server.
If Mitigated
Limited impact if XML input validation and sanitization are implemented, with proper network segmentation preventing SSRF to internal services.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit examples. The vulnerability requires XML input processing but doesn't require authentication if the endpoint is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.60.0 and later
Vendor Advisory: https://github.com/kiegroup/drools/pull/3808
Restart Required: Yes
Instructions:
1. Upgrade Drools to version 7.60.0 or later. 2. Update pom.xml or build.gradle to reference the fixed version. 3. Rebuild and redeploy your application. 4. Restart any running Drools services.
🔧 Temporary Workarounds
XML Input Validation and Filtering
allImplement strict XML validation and filtering before processing through Drools
Implement XML schema validation
Use secure XML parsers with external entity disabled
Network Segmentation
allRestrict outbound network access from Drools servers to prevent SSRF
Configure firewall rules to block outbound HTTP/HTTPS from Drools servers
Use network policies to restrict access to internal services
🧯 If You Can't Patch
- Implement strict XML input validation and sanitization at the application layer
- Deploy network controls to prevent outbound connections from Drools servers
🔍 How to Verify
Check if Vulnerable:
Check your Drools version in pom.xml or build.gradle. If version <= 7.59.x and you process XML input, you are vulnerable.Check Version:
mvn dependency:tree | grep drools-core OR check build.gradle for drools versionVerify Fix Applied:
Verify Drools version is >= 7.60.0 and test XML processing with XXE payloads that should be rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- XML parsing errors with external entity references
- Outbound HTTP requests from Drools to internal services
Network Indicators:
- HTTP requests from Drools servers to internal services not normally accessed
- File retrieval patterns in network traffic
SIEM Query:
source="drools" AND (message="*file:*" OR message="*http:*" OR message="*ENTITY*")