CVE-2022-26662 – This CVE describes an XML Entity Expansion (XEE... (How to Fix)

Q: What is the severity of CVE-2022-26662?

CVE-2022-26662 has a CVSS score of 7.5 (HIGH). This CVE describes an XML Entity Expansion (XEE) vulnerability in Tryton Application Platform that allows unauthenticated attackers to send crafted XML-RPC messages to consume all server resources. This affects Tryton Server versions 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x/6.2.x through 6.2.5, and Tryton Command Line Client (proteus) versions 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x/6.2.x through 6.2.1.

📋 TL;DR

This CVE describes an XML Entity Expansion (XEE) vulnerability in Tryton Application Platform that allows unauthenticated attackers to send crafted XML-RPC messages to consume all server resources. This affects Tryton Server versions 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x/6.2.x through 6.2.5, and Tryton Command Line Client (proteus) versions 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x/6.2.x through 6.2.1.

💻 Affected Systems

Products:

Tryton Application Platform (Server)
Tryton Command Line Client (proteus)

Versions: Server: 5.x through 5.0.45, 6.x through 6.0.15, 6.1.x and 6.2.x through 6.2.5; Client: 5.x through 5.0.11, 6.x through 6.0.4, 6.1.x and 6.2.x through 6.2.1

Operating Systems: All platforms running affected Tryton versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in XML-RPC interface which is typically enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion, potentially causing server crashes and extended downtime.

🟠

Likely Case

Service disruption and performance degradation affecting all users of the Tryton application.

🟢

If Mitigated

Limited impact if XML-RPC interface is disabled or properly firewalled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted XML-RPC messages, which is straightforward for attackers familiar with XEE techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Server: 5.0.46, 6.0.16, 6.2.6; Client: 5.0.12, 6.0.5, 6.2.2

Vendor Advisory: https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059

Restart Required: Yes

Instructions:

1. Backup your Tryton configuration and data. 2. Update Tryton Server to version 5.0.46, 6.0.16, or 6.2.6. 3. Update Tryton Command Line Client to version 5.0.12, 6.0.5, or 6.2.2. 4. Restart all Tryton services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable XML-RPC Interface

all

Disable XML-RPC functionality if not required for your deployment.

Edit Tryton configuration to disable XML-RPC or block XML-RPC port (typically 8000)

Network Access Control

linux

Restrict access to XML-RPC port using firewall rules.

iptables -A INPUT -p tcp --dport 8000 -j DROP
ufw deny 8000

🧯 If You Can't Patch

Implement strict network segmentation to isolate Tryton servers from untrusted networks.
Deploy rate limiting and XML validation at network perimeter to block malicious XML-RPC requests.

🔍 How to Verify

Check if Vulnerable:

Check Tryton version using 'trytond --version' or 'proteus --version' and compare against affected versions.

Check Version:

trytond --version

Verify Fix Applied:

Verify version is updated to patched versions: Server 5.0.46+, 6.0.16+, or 6.2.6+; Client 5.0.12+, 6.0.5+, or 6.2.2+.

📡 Detection & Monitoring

Log Indicators:

Unusually large XML-RPC requests
Memory exhaustion warnings
Process termination due to resource limits

Network Indicators:

Multiple XML-RPC requests with nested entity declarations
Traffic spikes to XML-RPC port

SIEM Query:

source="tryton.log" AND ("XML-RPC" OR "memory" OR "resource") AND ("error" OR "warning" OR "exhausted")

📊 Metadata

CVE ID: CVE-2022-26662

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-776

Published: March 10, 2022

Last Updated: November 21, 2024

🔗 References

https://bugs.tryton.org/issue11244 Patch,Vendor Advisory
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html Mailing List,Third Party Advisory
https://www.debian.org/security/2022/dsa-5098 Third Party Advisory
https://www.debian.org/security/2022/dsa-5099 Third Party Advisory
https://bugs.tryton.org/issue11244 Patch,Vendor Advisory
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html Mailing List,Third Party Advisory
https://www.debian.org/security/2022/dsa-5098 Third Party Advisory
https://www.debian.org/security/2022/dsa-5099 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26662, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Proteus by Tryton

Proteus by Tryton

Proteus by Tryton

Trytond by Tryton

Trytond by Tryton

Trytond by Tryton

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XML-RPC Interface

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities