CVE-2023-48362 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2023-48362?

CVE-2023-48362 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to perform XML External Entity (XXE) attacks through Apache Drill's XML Format Plugin. By uploading a malicious XML file, attackers can read arbitrary files from the remote file system or execute commands. This affects all Apache Drill users running version 1.19.0 or later.

📋 TL;DR

This vulnerability allows attackers to perform XML External Entity (XXE) attacks through Apache Drill's XML Format Plugin. By uploading a malicious XML file, attackers can read arbitrary files from the remote file system or execute commands. This affects all Apache Drill users running version 1.19.0 or later.

💻 Affected Systems

Products:

Apache Drill

Versions: 1.19.0 and greater (up to but not including 1.21.2)

Operating Systems: All operating systems running Apache Drill

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the XML Format Plugin which is part of Apache Drill's core functionality for processing XML data.

📦 What is this software?

Drill by Apache

View all CVEs affecting Drill →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to read sensitive files (including configuration files, credentials), execute arbitrary commands, and potentially pivot to other systems.

🟠

Likely Case

Data exfiltration of sensitive files from the Drill server, potentially including database credentials, configuration files, and other system information.

🟢

If Mitigated

Limited impact if proper network segmentation, file system permissions, and input validation are in place, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH - If Apache Drill is exposed to the internet, attackers can directly exploit this vulnerability without any authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires access to the Drill service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood and relatively easy to exploit. The vulnerability requires the attacker to be able to upload or process XML files through Drill's XML Format Plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.2

Vendor Advisory: https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl

Restart Required: Yes

Instructions:

1. Download Apache Drill version 1.21.2 from the official Apache website. 2. Stop the running Drill service. 3. Backup your current installation and configuration. 4. Install version 1.21.2. 5. Restore your configuration if needed. 6. Start the Drill service.

🔧 Temporary Workarounds

Disable XML Format Plugin

all

Temporarily disable the vulnerable XML Format Plugin to prevent exploitation

Edit drill-override.conf and add: drill.exec.formats.xml.enabled=false
Restart Apache Drill service

Restrict XML File Processing

all

Implement input validation to reject or sanitize XML files before processing

Implement file upload validation in your application layer
Use XML parsers with XXE protection enabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate Apache Drill instances from sensitive systems
Apply strict file system permissions to limit what files the Drill process can access

🔍 How to Verify

Check if Vulnerable:

Check Apache Drill version: if version is >=1.19.0 and <1.21.2, the system is vulnerable.

Check Version:

drill-conf --version or check the Drill web UI at http://localhost:8047

Verify Fix Applied:

After patching, verify the version is 1.21.2 or later and test XML file processing functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual XML file processing activity
File read operations from unexpected locations
Error messages related to XML parsing failures

Network Indicators:

Unusual outbound connections from Drill server
Large data transfers following XML file uploads

SIEM Query:

source="apache_drill" AND (event_type="file_read" OR event_type="xml_parse") AND file_path CONTAINS "file://" OR "http://"

📊 Metadata

CVE ID: CVE-2023-48362

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: July 24, 2024

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/24/3 Mailing List
https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/07/24/3 Mailing List
https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48362, you might also want to check these: