CVE-2022-23640: Excel-Streaming-Reader XML Entity Expansion Vulnerability and Patch

Excel-Streaming-Reader (xlsx-streamer) is a popular Java library offering an efficient way of reading large Excel files with Apache POI in a streaming manner. Unfortunately, a security vulnerability (CVE-2022-23640) has been discovered in versions prior to 2.1., allowing attackers to perform XML Entity Expansion attacks. This article will provide an overview of the issue, code snippets demonstrating the vulnerability, links to original references, and information on how to mitigate this security risk.

Description

XML Entity Expansion attacks, also known as Billion Laughs attacks, involve inputting specially crafted XML data, forcing the parser to recursively expand entities, resulting in an exponential growth of the processed data. This can lead to a Denial of Service (DoS) as the parser consumes excessive amounts of memory and processing power.

In the case of Excel-Streaming-Reader, the XML parser used in versions prior to 2.1. was not sufficiently configured to prevent this vulnerability. Consequently, attackers could exploit the issue to compromise the availability of applications using the library.

Here's a code snippet showing the vulnerable part

private Workbook getWorkbook(String path) throws FileNotFoundException {
  FileInputStream fis = new FileInputStream(new File(path));
  StreamingReader reader = StreamingReader.builder()
      .rowCacheSize(100)
      .bufferSize(4096)
      .open(fis); // Vulnerable code
  return reader;
}

Exploit details

To exploit this vulnerability, an attacker would need to craft an XML file with malicious content resembling the structure below and input it into the application using the vulnerable version of the Excel-Streaming-Reader library.

<?xml version="1."?>
<!DOCTYPE root [
<!ENTITY ha "ha">
<!ENTITY ha2 "&ha;&ha;&ha;&ha;&ha;&ha;&ha;&ha;&ha;&ha;">
<!ENTITY ha3 "&ha2;&ha2;&ha2;&ha2;&ha2;&ha2;&ha2;&ha2;&ha2;&ha2;">
<!-- ... -->
<!ENTITY haN "&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);&ha(N-1);">
]>
<root>&haN;</root>

Mitigation

To patch this vulnerability, users should upgrade to xlsx-streamer version 2.1., which includes a fix that properly configures the XML parser to prevent XML Entity Expansion attacks.

In the code snippet below, the parser is now correctly configured to defend against XML Entity Expansion:

private Workbook getSecureWorkbook(String path) throws FileNotFoundException {
  FileInputStream fis = new FileInputStream(new File(path));
  StreamingReader reader = StreamingReader.builder()
      .rowCacheSize(100)
      .bufferSize(4096)
      .preventXXE(true) // Secure configuration
      .open(fis);
  return reader;
}

Original references and resources

1. CVE-2022-23640: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23640
2. GitHub repository of Excel-Streaming-Reader: https://github.com/monitorjbl/excel-streaming-reader
3. Release notes of xlsx-streamer 2.1., mentioning the patch for the vulnerability: https://github.com/monitorjbl/excel-streaming-reader/releases/tag/2.1.

Conclusion

Users of the Excel-Streaming-Reader library are urged to upgrade to version 2.1. or later to protect their applications from XML Entity Expansion attacks. Always ensure that your applications are updated regularly to include security patches and stay alert to newly disclosed vulnerabilities. By proactively addressing security risks, you can maintain the integrity, confidentiality, and availability of your applications and services.

Timeline

Published on: 03/02/2022 20:15:00 UTC
Last modified on: 03/09/2022 18:01:00 UTC