CVE-2023-28008
📋 TL;DR
HCL Workload Automation versions 9.4, 9.5, and 10.1 contain an XML External Entity (XXE) vulnerability that allows remote attackers to read sensitive files from the server or cause denial of service through memory consumption. This affects organizations using these versions of HCL's workload automation software for job scheduling and management.
💻 Affected Systems
- HCL Workload Automation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through sensitive file disclosure (including configuration files, credentials, system files) leading to data breach and potential lateral movement.
Likely Case
Unauthorized reading of sensitive server files containing configuration data, credentials, or other proprietary information.
If Mitigated
Limited impact with proper network segmentation and XML parsing restrictions in place.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fixes per HCL advisory KB0104371
Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104371
Restart Required: Yes
Instructions:
1. Review HCL advisory KB0104371. 2. Download appropriate patches from HCL support portal. 3. Apply patches following HCL documentation. 4. Restart affected services. 5. Verify fix implementation.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parsers to disable external entity resolution
Configure XML parser settings: set features like FEATURE_SECURE_PROCESSING to true, disable external entities
Input Validation and Sanitization
allImplement strict input validation for XML data
Implement XML schema validation, reject XML with DOCTYPE declarations, use allowlists for XML content
🧯 If You Can't Patch
- Network segmentation: Isolate HCL Workload Automation servers from untrusted networks
- Implement web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check installed version against affected versions (9.4, 9.5, 10.1)Check Version:
Consult HCL documentation for version check commands specific to your installationVerify Fix Applied:
Verify patch installation and test XXE payloads are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple large XML file processing attempts
- External entity resolution attempts in logs
Network Indicators:
- XML payloads containing external entity references
- Unusual outbound connections from HCL servers during XML processing
SIEM Query:
source="hcl_workload_automation" AND (xml_parse_error OR external_entity)