CVE-2021-43090 – CVE-2021-43090 is an XML External Entity (XXE) ... (How to Fix)

Q: What is the severity of CVE-2021-43090?

CVE-2021-43090 has a CVSS score of 9.8 (CRITICAL). CVE-2021-43090 is an XML External Entity (XXE) vulnerability in soa-model's WSDLParser function that allows attackers to read arbitrary files, conduct server-side request forgery (SSRF), or cause denial of service by processing malicious WSDL files. This affects any application using soa-model library versions before 1.6.4 to parse WSDL documents.

📋 TL;DR

CVE-2021-43090 is an XML External Entity (XXE) vulnerability in soa-model's WSDLParser function that allows attackers to read arbitrary files, conduct server-side request forgery (SSRF), or cause denial of service by processing malicious WSDL files. This affects any application using soa-model library versions before 1.6.4 to parse WSDL documents.

💻 Affected Systems

Products:

soa-model library

Versions: All versions before 1.6.4

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when parsing WSDL files. Applications must be using the WSDLParser function.

📦 What is this software?

Soa Model by Predic8

View all CVEs affecting Soa Model →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through file disclosure, SSRF attacks on internal services, or denial of service via XML bombs.

🟠

Likely Case

Arbitrary file read from the server filesystem, potentially exposing sensitive configuration files or credentials.

🟢

If Mitigated

Limited impact if XML parsing is disabled or external entity processing is blocked at the network/application level.

🌐 Internet-Facing: HIGH - Any internet-facing service using vulnerable soa-model to parse user-supplied WSDL files is at significant risk.

🏢 Internal Only: MEDIUM - Internal services could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with many public exploit examples. Exploitation requires ability to submit WSDL files to vulnerable parser.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.4

Vendor Advisory: https://github.com/membrane/soa-model/releases/tag/v1.6.4

Restart Required: Yes

Instructions:

1. Update soa-model dependency to version 1.6.4 or later. 2. Update pom.xml or build.gradle to use fixed version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Disable XXE processing

all

Configure XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input validation

all

Validate and sanitize WSDL input before parsing

🧯 If You Can't Patch

Implement network segmentation to restrict vulnerable services from accessing sensitive internal resources
Deploy web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for soa-model version <1.6.4. Review code for WSDLParser usage.

Check Version:

Check Maven: mvn dependency:tree | grep soa-model. Check Gradle: gradle dependencies | grep soa-model.

Verify Fix Applied:

Verify soa-model version is 1.6.4 or later in dependencies. Test with known XXE payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from XML parser
Large XML parsing errors or timeouts
Requests with XML entities referencing local files

Network Indicators:

Outbound connections from XML parser to internal services
Unusual file:// or http:// references in XML payloads

SIEM Query:

source="application_logs" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "ENTITY")

📊 Metadata

CVE ID: CVE-2021-43090

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: March 25, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/membrane/soa-model/commit/19de16902468e7963cc4dc6b544574bc1ea3f251 Patch,Third Party Advisory
https://github.com/membrane/soa-model/commit/3aa295f155f621d5ea661cb9a0604013fc8fd8ff Patch,Third Party Advisory
https://github.com/membrane/soa-model/issues/281 Exploit,Issue Tracking,Third Party Advisory
https://github.com/membrane/soa-model/releases/tag/v1.6.4 Release Notes,Third Party Advisory
https://github.com/membrane/soa-model/commit/19de16902468e7963cc4dc6b544574bc1ea3f251 Patch,Third Party Advisory
https://github.com/membrane/soa-model/commit/3aa295f155f621d5ea661cb9a0604013fc8fd8ff Patch,Third Party Advisory
https://github.com/membrane/soa-model/issues/281 Exploit,Issue Tracking,Third Party Advisory
https://github.com/membrane/soa-model/releases/tag/v1.6.4 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43090, you might also want to check these: