Quartz XXE Vulnerability CVE-2019–13990

5 min readAug 18, 2023

Summary

Quartz is a feature-rich open source job scheduling library that can be integrated into almost any Java application — — from the smallest standalone application to the largest e-commerce system.

Quartz can be used to create simple or complex schedules to execute dozens, hundreds, or even tens of thousands of jobs; the tasks of these jobs are defined as standard Java components that can perform almost any task you program.The Quartz scheduler includes many enterprise-class features such as support for JTA transactions and clustering.

The author has selected common vulnerabilities in Quartz components for analysis by analyzing hundreds of real projects that have introduced components.This analysis is CVE-2019–13990.The fundamental cause of this vulnerability lies in the initDocumentParser() method within XMLSchedulingDataProcessor.java, which fails to prohibit DTD usage, consequently leading to the occurrence of an XXE vulnerability.

Quartz is suitable for a wide range of scenarios where tasks need to be executed on a timed, periodic or condition-based trigger. Whether it is in data management, task automation or reminder notifications, Quartz can be useful. It allows you to efficiently schedule code execution to accommodate specific times, repetitive requirements, and business logic. Whether you’re building small, standalone applications or large, complex systems, Quartz is a powerful tool that provides robust scheduling and planning capabilities for your task and job management.

Information

• Name：XXE Vulnerability

• Number：CVE-2019–13990

• Type：CWE-611 XML Improper Restriction of XML External Entity Reference

• CVSS score：CVSS v3.1：9.8

• Severity Level：Critical

The vulnerability is an XXE due to the initDocumentParser() method of XMLSchedulingDataProcessor.java not disabling DTDs.

The vulnerability is exploited under two conditions, including allowing users to upload XML files and not filtering for malicious XML files

Affected version

Quartz 2.2.x < 2.2.4

Quartz 2.3.x < 2.3.2

Analyze

1.XML Background Knowledge

XML (eXtensible Markup Language) is a markup language for describing and transferring structured data and information. It is designed to exchange data between different systems and can be shared and interpreted in different applications.

In the process of parsing external entities, the XML parser can query various network protocols and services (DNS, FTP, HTTP, SMB, etc.) based on the scheme (protocol) specified in the URL.

External entities are useful for creating dynamic references in documents so that any changes made to the referenced resource are automatically updated in the document.

However, many attacks can be initiated against applications when dealing with external entities. These attacks include the disclosure of local system files, which may contain sensitive data such as passwords and private user data, or the manipulation of internal applications by utilizing the network access features of various schemes.

By combining these attacks with other vulnerabilities, the scope of these attacks can extend to client-side memory corruption, arbitrary code execution, and even service interruption, depending on the context of these attacks.

2.DTD

DTD (Document Type Definition) is a syntax specification for defining the structure and content of XML documents.It is a markup-based language for describing the elements, attributes, entities, data types, and relationships that can be contained in an XML document.DTD ensures that an XML document follows a specific structure and semantics.

Here are some of the key concepts and features of DTD:

Element Definitions: The DTD allows the definition of elements in an XML document, including the element name, content type (e.g., text, other elements, etc.), and the number of occurrences (one, zero, or multiple, etc.).

Attribute Definition: Allows defining the attributes and their data types that an element can contain. Attribute definitions allow specifying whether they are required, default values, etc.

Entity Definition: Entities are used to define reusable blocks of text or special characters that can be referenced in an XML document. There are two types of entities: internal entities and external entities.

Content Model: A DTD can define relationships between elements such as order, selection, and repetition. These definitions form the content model of an element.

<!DOCTYPE> declaration: Used to associate a DTD with an XML document. The location and name of the DTD is usually specified in the XML document in the form of a <!DOCTYPE> declaration.

The main purpose of a DTD is to ensure that an XML document follows a specific structure and semantics, making the document more predictable and consistent. However, DTDs have some limitations, such as not supporting datatype validation and namespaces, so in more complex scenarios it is common to use other schema languages such as XML Schema for stricter validation and definition.

3.XML Parsing for Quartz

Chose version 2.3.0 Quartz.

docBuilderFactory.setAttribute(“http[:]//java[.] sun[.] com/xml/jaxp/properties/schemaLanguage”, “http[:]//www[.] w3[.] org/2001/XMLSchema”); sets the XML Schema language used by the parser.

docBuilderFactory.setAttribute(“http[:]//java[.] sun[.] com/xml/jaxp/properties/schemaSource”, this.resolveSchemaSource()); sets the XML Schema source used by the parser.

It does not disable external entities, so if the XML references an external entity it will lead to an XXE attack.