CVE-2022-0265 – This XXE vulnerability in Hazelcast 5.1-BETA-1 ... (How to Fix)

Q: What is the severity of CVE-2022-0265?

CVE-2022-0265 has a CVSS score of 9.8 (CRITICAL). This XXE vulnerability in Hazelcast 5.1-BETA-1 allows attackers to read arbitrary files from the server filesystem or perform server-side request forgery by processing malicious XML documents. It affects systems running Hazelcast 5.1-BETA-1 with XML processing enabled. The vulnerability stems from improper restriction of XML external entity references during XML parsing.

📋 TL;DR

This XXE vulnerability in Hazelcast 5.1-BETA-1 allows attackers to read arbitrary files from the server filesystem or perform server-side request forgery by processing malicious XML documents. It affects systems running Hazelcast 5.1-BETA-1 with XML processing enabled. The vulnerability stems from improper restriction of XML external entity references during XML parsing.

💻 Affected Systems

Products:

Hazelcast

Versions: 5.1-BETA-1 only

Operating Systems: All platforms running Hazelcast

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific beta version; stable releases and other versions are not vulnerable. Requires XML processing functionality to be used.

📦 What is this software?

Hazelcast by Hazelcast

View all CVEs affecting Hazelcast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via file disclosure of sensitive files (passwords, keys, configs) leading to lateral movement and data exfiltration, or SSRF attacks against internal services.

🟠

Likely Case

Unauthorized file read access to server filesystem, potentially exposing configuration files, credentials, or sensitive application data.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal file permissions, though information disclosure risk remains.

🌐 Internet-Facing: HIGH - If exposed to untrusted XML input from external sources, attackers can directly exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires XML processing capability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious XML to vulnerable XML parsing endpoints. Public proof-of-concept exists in bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 4d6b666cd0291abd618c3b95cdbb51aa4208e748 and later versions

Vendor Advisory: https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748

Restart Required: Yes

Instructions:

1. Upgrade to Hazelcast version after commit 4d6b666cd0291abd618c3b95cdbb51aa4208e748. 2. Stop Hazelcast service. 3. Replace with patched version. 4. Restart Hazelcast service. 5. Verify fix by checking version.

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure XML parsers to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Input validation and filtering

all

Implement strict input validation to reject XML containing external entity references

🧯 If You Can't Patch

Implement network segmentation to isolate Hazelcast instances from sensitive systems
Apply strict file system permissions to limit accessible files on the server

🔍 How to Verify

Check if Vulnerable:

Check Hazelcast version: if running 5.1-BETA-1, you are vulnerable. Review if XML processing is enabled in your configuration.

Check Version:

java -jar hazelcast-*.jar --version or check application logs for version information

Verify Fix Applied:

Verify Hazelcast version is newer than commit 4d6b666cd0291abd618c3b95cdbb51aa4208e748. Test XML processing with known safe payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
File access attempts via XML parsing
Large XML payloads with external entity references

Network Indicators:

XML payloads containing SYSTEM or PUBLIC DTD declarations
Requests to XML processing endpoints with unusual patterns

SIEM Query:

source="hazelcast.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2022-0265

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: March 3, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748 Patch,Third Party Advisory
https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748 Patch,Third Party Advisory
https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0265, you might also want to check these: