2026-06-19 06:45:01 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文深入研究了ApacheCXFXXE外部实体解析漏洞（CVE-2026-49875）。该漏洞源于框架在处理XMLSchema时未完全应用JAXP安全加固配置，导致攻击者可通过精心构造的恶意XMLpayload发起攻击。文章详细分析了受影响版本（如4.1.0≤cxf<4.1.7）、攻击效果（读取敏感文件、触发SSRF）、环境搭建步骤，并从代码层面剖析了漏洞成因，最后提供了利用脚本和流量特征。 综合评分： 90 文章分类： 漏洞分析,web安全,渗透测试,解决方案,安全工具

https://github.com/Kai-One001/cve-/blob/main/CVE-2026-49875-Apache-CXF-XXE.py

2.3-复现流量特征 (PCAP)

### 项目地址

https://github.com/Kai-One001/PCAP-For-Cybersecurity.rule/blob/main/2026/CVE-2026-49875-Apache-CXF-XXE.pcap

发起请求，服务回连地址

回连传回数据

0x3 漏洞原理分析

3.1-起点：从 CVE 公告看信息

关键词EndpointReferenceUtils、W3CMultiSchemaFactory与SAXParserFactory作为静态分析入口，在cxf-core模块中检索。顺着Schema校验相关拦截器向上游追踪，锁定两条并行链路->Woodstox MSV校验与JAXB SchemaFactory校验->它们会在处理SOAP/REST消息时被间接激活。

3.2-CXF 内部的”加固断层”

Apache CXF 在多处 XML 处理代码中已经建立了 JAXP 安全基线。以同项目中的DOMUtils 为例，创建 DocumentBuilderFactory时明确启用了安全处理与禁止 DTD：

// cxf-cxf-4.2.1/core/src/main/java/org/apache/cxf/helpers/DOMUtils.javaprivatestaticDocumentBuilder createDocumentBuilder()throwsParserConfigurationException{DocumentBuilderFactory&nbsp;f =DocumentBuilderFactory.newInstance();&nbsp;f.setNamespaceAware(true);&nbsp;f.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,true);&nbsp;f.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);return&nbsp;f.newDocumentBuilder();

只要在 CXF 运行时解析不可信 XML 的路径，均应对 DTD、外部实体、外部 Schema 引用施加限制。
然而，在 Schema 编译这一路径上，加固规范没有覆盖完全，导致EndpointReferenceUtils 与W3CMultiSchemaFactory，出现了遗漏。

3.3-爆发点一：`W3CMultiSchemaFactory` 裸奔的 SAXParserFactory

Stax2ValidationUtils在Woodstox 5.x环境下会反射调用本类的createSchema()，它是StAX入站Schema校验的核心。

如何定位？ 从StaxSchemaValidationInInterceptor沿WoodstoxValidationImpl→Stax2ValidationUtils.getValidator()向下，就到了W3CMultiSchemaFactory.createSchema()

// cxf-cxf-4.2.1/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java&nbsp;parserFactory =SAXParserFactory.newInstance();&nbsp;parserFactory.setNamespaceAware(true);
WSDLGrammarReaderController ctrl =newWSDLGrammarReaderController(null, baseURI, embeddedSources);&nbsp;xmlSchemaReader =newRecursiveAllowedXMLSchemaReader(ctrl, parserFactory);&nbsp;multiSchemaReader =newMultiSchemaReader(xmlSchemaReader);for(Source&nbsp;source&nbsp;: schemaSources.values()){&nbsp;multiSchemaReader.parse(source);

此处仅调用setNamespaceAware(true)，缺失以下关键加固项：

•&nbsp;XMLConstants.FEATURE_SECURE_PROCESSING•&nbsp;http://apache.org/xml/features/disallow-doctype-decl•&nbsp;http://xml.org/sax/features/external-general-entities →&nbsp;false•&nbsp;http://xml.org/sax/features/external-parameter-entities →&nbsp;false

因此，当 multiSchemaReader.parse(source) 解析含恶意 DTD 的 XSD 时，底层 MSV XMLSchemaReader 所使用的 SAX 解析器会照常解析外部实体，OOB 请求由此产生。这与官方公告”construct a SAXParserFactory without the necessary JAXP hardening configurations”的描述一样。

3.4-爆发点二：`EndpointReferenceUtils.createSchema()` 未加固的 SchemaFactory

所有基于JAXB/Databinding的Schema校验最终都汇聚到EndpointReferenceUtils.getSchema()->包括SOAP Header校验、入站/出站databinding、SoapOutInterceptor等。

定位？ 在代码库中全局检索EndpointReferenceUtils.getSchema的引用，发现其被AbstractInDatabindingInterceptor、SoapHeaderInterceptor、SoapOutInterceptor等高频拦截器调用。

// cxf-cxf-4.2.1/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.javaprivatestaticSchema&nbsp;createSchema(ServiceInfo serviceInfo,Bus b){Schema&nbsp;schema = serviceInfo.getProperty(Schema.class.getName(),Schema.class);if(schema ==null){SchemaFactory&nbsp;factory =SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);Map<String,byte[]> schemaSourcesMap =newLinkedHashMap<>();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// ... 收集 Schema 来源 ...&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; factory.setResourceResolver(new&nbsp;SchemaLSResourceResolver(schemaSourcesMap,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; b !=&nbsp;null&nbsp;? b :&nbsp;BusFactory.getThreadDefaultBus(false)));&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; schema = factory.newSchema(schemaSourcesMap2.values()&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;.toArray(new&nbsp;Source[schemaSourcesMap2.size()]));

SchemaFactory.newInstance()之后直接进入Schema组装newSchema() 编译，未设置：

• FEATURE_SECURE_PROCESSING• ACCESS_EXTERNAL_DTD（JAXP 1.5+）• ACCESS_EXTERNAL_SCHEMA（JAXP 1.5+）

SchemaFactory.newSchema()内部依赖 SAX 解析器处理StreamSource / DOMSource；当 Schema 内容含 DTD 或外部引用时，同样触发 XXE。更隐蔽的是，同文件中的 SchemaLSResourceResolver 在本地缓存未命中时，会通过 ExtendedURIResolver拉取远程 Schema——若 systemId 可被间接影响，则攻击面进一步扩大：

// cxf-cxf-4.2.1/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(systemId !=&nbsp;null) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;InputSource&nbsp;source&nbsp;=&nbsp;resolver.resolve(systemId, baseURI);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(source !=&nbsp;null) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; impl =&nbsp;new&nbsp;LSInputImpl();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; impl.setByteStream(source.getByteStream());&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; impl.setSystemId(source.getSystemId());&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; impl.setPublicId(source.getPublicId());&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;impl;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

3.5-攻击链路：从 HTTP 入口到实体解析

链路 A — Woodstox MSV 入站校验

HTTP POST /services/{Service}&nbsp; ->&nbsp;CXF Interceptor Chain&nbsp; ->&nbsp;StaxSchemaValidationInInterceptor.handleMessage() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[Phase: PRE_UNMARSHAL]&nbsp; ->&nbsp;WoodstoxValidationImpl.setupValidation()&nbsp; ->&nbsp;Stax2ValidationUtils.getValidator()&nbsp; ->&nbsp;W3CMultiSchemaFactory.createSchema() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [★ 注入面: schemaSources 中的恶意 XSD]&nbsp; ->&nbsp;SAXParserFactory.newInstance() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [★ 缺陷: 无 JAXP 加固]&nbsp; ->&nbsp;MultiSchemaReader.parse(Source)&nbsp; ->&nbsp;XMLSchemaReader (MSV) 解析 DTD/外部实体 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[★ 爆发点: OOB HTTP / 文件读取]

链路 B — JAXB Databinding Schema 校验

484950515253545556HTTP POST /services/{Service}&nbsp; ->&nbsp;AbstractInDatabindingInterceptor.setDataReaderValidation()&nbsp; ->&nbsp;EndpointReferenceUtils.getSchema(ServiceInfo, Bus)&nbsp; ->&nbsp;createSchema()&nbsp; ->&nbsp;SchemaFactory.newInstance() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[★ 缺陷: 无 ACCESS_EXTERNAL_E* 限制]&nbsp; ->&nbsp;SchemaFactory.newSchema(Source[])&nbsp; ->&nbsp;内部 SAX 解析 Schema 文档 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [★ 爆发点: XXE]&nbsp; ->&nbsp;(可选) SchemaLSResourceResolver.resolveResource()&nbsp; ->&nbsp;ExtendedURIResolver.resolve(systemId) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[★ 辅助放大: 远程 Schema 拉取]

链路 C — SOAP Header 校验（并行汇入链路 B）

HTTP POST /services/{Service}&nbsp; ->&nbsp;SoapHeaderInterceptor&nbsp; ->&nbsp;EndpointReferenceUtils.getSchema()&nbsp; ->&nbsp;createSchema() &nbsp;[同上]

#

0x4 修复建议

1、升级最新版本：将组件升级安全版本≥ 4.2.2和≥ 4.1.7

https://cxf.apache.org/security-advisories.html

2、临时防护措施：

限制访问：禁止生产环境从公网URL动态导入Schema；WSDL发布端点仅对内网或管理网段开放。
防火墙拦截：对运行CXF的应用服务器配置egress防火墙，阻断应用JVM对非业务必需地址的HTTP/DNS外连，可显著抑制OOB-XXE回传。
WAF / IDS 特征：在API网关或WAF上拦截响应侧异常：监控应用服务器对外发起的、目标为已知恶意域名的HTTP请求,OOB 回调特征。
最小暴露面：非必要不在公网服务上启用@SchemaValidation；对内部高敏感服务也进行必要评估。
供应链核查：锁定cxf-core及传递依赖版本，防止依赖树中混入其他未加固的XML 解析路径。
JVM 级应急加固：在应用启动参数中启用JAXP全局限制（JDK 7u40+ / 8u121+ 等）：

注意：全局属性可能影响依赖外部 Schema 的合法业务，升级官方补丁是根本解决方案。

免责声明：本文仅用于安全研究目的，未经授权不得用于非法渗透测试活动。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：404号浪漫 404号浪漫 404号浪漫《Apache CXF XXE 外部实体解析漏洞 | CVE-2026-49875复现&研究》