Preface: The design weakness was disclosed by the apache organization on January 14, 2021. Design limitations on Xmlbeans have been fixed. Developer suggest to use 3.0.1, instead of Xmlbeans 2.6.0.
Background: PS/nVision – a PeopleTools software that you use to design and create Microsoft Excel spreadsheet reports for PeopleSoft data. nVision selects data from your PeopleSoft database using ledgers, trees, and queries. Queries are useful for extracting data from sources other than ledgers.
nVision works in three modes:OpenXML mode, Excel Automation mode and Cross Platform mode.
- nVision uses the OpenXML mode on the batch server that uses Microsoft’s OpenXML SDK to generate Excel-compatible documents.
- nVision continues using the operation mode called Excel automation mode that automates the Excel application to generate spreadsheet documents in PeopleTools PIA architecture
- nVision uses the Cross Platform mode to generate spreadsheet documents in PeopleTools PIA architecture
Vulnerability details: CVE-2021-23926 PeopleSoft Enterprise PeopleTools (nVision (XML Beans)) – The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Reference: The XML entity extension injection attack uses valid and well-formed xml blocks to expand exponentially until the resources allocated by the server are exhausted. This is because XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.
Official announcement: Oracle Critical Patch Update Advisory (October 2021) – https://www.oracle.com/security-alerts/cpuoct2021.html