CVE-2023-41034
DDFFileParser is vulnerable to XXE Attacks
Description
### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). [DDF file](https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model) is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. ### Patches This is fixed in **v1.5.0** and **2.0.0-M13**. ### Workarounds No easy way. Eventually writing your own `DDFFileParser`/`DefaultDDFFileValidator` (and so `ObjectLoader`) creating a `DocumentBuilderFactory` with : ```java // For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable DTDs factory.setXIncludeAware(false); // Disable XML Inclusions factory.setExpandEntityReferences(false); // disable expand entity reference nodes // For DefaultDDFFileValidator SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); ``` ### References - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
How to fix CVE-2023-41034
To remediate CVE-2023-41034, upgrade the affected package to a fixed version below.
- —upgrade to 1.5.0 or later
Is CVE-2023-41034 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.