CVE-2022-32458 – Digiwin BPM has an XML External Entity (XXE) vu... (How to Fix)

Q: What is the severity of CVE-2022-32458?

CVE-2022-32458 has a CVSS score of 7.5 (HIGH). Digiwin BPM has an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. This affects systems running vulnerable versions of Digiwin BPM software. Attackers can exploit insufficient input validation in XML processing to access sensitive system files.

📋 TL;DR

Digiwin BPM has an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. This affects systems running vulnerable versions of Digiwin BPM software. Attackers can exploit insufficient input validation in XML processing to access sensitive system files.

💻 Affected Systems

Products:

Digiwin BPM

Versions: Specific versions not detailed in provided references, but all vulnerable versions of Digiwin BPM are affected

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with XML processing functionality exposed to user input without proper validation

📦 What is this software?

Business Process Management by Digiwin

View all CVEs affecting Business Process Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive files like /etc/passwd, /etc/shadow, configuration files with credentials, or internal network information leading to further attacks.

🟠

Likely Case

Unauthorized access to sensitive system files, configuration files, and potentially credential theft from application configuration.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and input validation controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with standard exploitation techniques; unauthenticated access makes exploitation easier

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

Restart Required: Yes

Instructions:

1. Contact Digiwin for the latest security patch. 2. Apply the patch according to vendor instructions. 3. Restart the BPM service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable XML External Entity Processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, disallow-doctype-decl = true

Input Validation Filter

all

Implement strict input validation to reject XML containing external entity declarations

Implement regex filter: /<!ENTITY\s+\S+\s+SYSTEM\s+['"].*['"]>/i

🧯 If You Can't Patch

Implement network segmentation to restrict access to Digiwin BPM from untrusted networks
Deploy a web application firewall (WAF) with XXE protection rules enabled

🔍 How to Verify

Check if Vulnerable:

Test XML endpoints with XXE payloads: <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>

Check Version:

Check Digiwin BPM administration interface or configuration files for version information

Verify Fix Applied:

Retest with same XXE payloads; successful fix should return error or empty response instead of file contents

📡 Detection & Monitoring

Log Indicators:

XML parsing errors containing file paths
Unusual file access patterns from web application
Large XML payloads with DOCTYPE declarations

Network Indicators:

HTTP requests with XML content containing SYSTEM entities
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (xml OR .dtd OR SYSTEM) AND (file:// OR http://)

📊 Metadata

CVE ID: CVE-2022-32458

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: July 20, 2022

Last Updated: November 21, 2024

🔗 References

https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html Third Party Advisory
https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32458, you might also want to check these: