Skip to content

XXE in Eclipse Memory Analyzer report definition files

Basic information

Project name: Eclipse Memory Analyzer

Project id: tools.mat

What are the affected versions?

All versions prior to 1.15.0 including 1.14.0 and earlier.

Details of the issue

A user can choose to create a report in Eclipse Memory Analyzer using an external report definition file from an untrusted source defined in XML. If this report definition file has been configured to have a XML External Entity (XXE) processing attack then Eclipse Memory Analyzer could access unexpected external data. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. However, in general, users should not run untrusted external report definition files with Eclipse Memory Analyzer as the report definition is like a script and could run any defined Memory Analyzer query or report.

Steps to reproduce

Take a Eclipse Memory Analyzer report file. Add a sample XXE attack to the XML, for example:

<!DOCTYPE root_element SYSTEM "file:///c:/mysecret.txt">

and used the Memory Analyzer 'Run Report' menu option to select and run the report XML on the current heap dump snapshot. Look for an error message in the error log.

java.io.FileNotFoundException: c:\mysecret.txt (The system cannot find the file specified)
	at java.base/java.io.FileInputStream.open(Unknown Source)
	at java.base/java.io.FileInputStream.<init>(Unknown Source)
	at java.base/java.io.FileInputStream.<init>(Unknown Source)
	at java.base/sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
	at java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(Unknown Source)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)

Do you know any mitigations of the issue?

Run Eclipse Memory Analyzer with these JVM options in MemoryAnalyzer.ini.

-Djavax.xml.accessExternalSchema=
-Djavax.xml.accessExternalDTD=

Eclipse Memory Analyzer version 1.15.0 will contain a fix for this issue. See bug 582681.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent