CVE-2019-17554 Apache Olingo OData 4.0 XML External Entity Injection – 4th Dec 2019

Preface: When you are sitting on the same boat. The risks at the time of the event are equal.

Background: Open Data Protocol (OData) is an open protocol which allows the creation and consumption of queryable and interoperable RESTful APIs in a standard way. Apache Olingo is a Java library that implements the Open Data Protocol (OData). In SAP HANA DB environment, quite a lot of business application system will work with Apache Olingo.

Vulnerability details: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.

For security advice provided by Symantec, please refer to the link- https://www.symantec.com/security-center/vulnerabilities/writeup/111101?om_rssid=sr-advisories

2 thoughts on “CVE-2019-17554 Apache Olingo OData 4.0 XML External Entity Injection – 4th Dec 2019”

  1. Hello, Neat post. There’s a problem with your site in web explorer,
    might check this? IE nonetheless is the marketplace chief and
    a huge component of folks will miss your great writing because of this problem.

  2. It’s really a nice and helpful piece of info.
    I am happy that you shared this helpful information with us.
    Please keep us informed like this. Thank you for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.