Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
Summary
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. Affected product named by the advisory: Red Hat build of Apache Camel 4 for Quarkus 3.
What this means
In plain English
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. Affected product named by the advisory: Red Hat build of Apache Camel 4 for Quarkus 3.
Recommended action
Primary action: update to a vendor-listed fixed release: 4.2.2, 4.1.7.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- Apache CXF 4.2.0 before 4.2.2
- Apache CXF before 4.1.7
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
- 4.2.2
- 4.1.7
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 4.2.2, 4.1.7. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.