tencent cloud

Web Application Firewall

Release Notes and Announcements

Product Announcement

Adjusting Billing of WAF BOT Traffic Management

Security Advisory

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)

Notice for WebLogic Console HTTP RCE Vulnerability

Notice for Exchange Server Command Execution Vulnerability

Notice for Yonyou GRP-U8 SQL Injection Vulnerability

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

Jenkins Security Advisory for September

Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)

Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Product Introduction

Product Category

Plans and Editions

Supported Regions

Purchase Guide

Billing Overview

Chinese Mainland

WAF Plan Upgrade Method

Renewing Connections

Payment Overdue

Getting Started

Getting Started

FAQs for Beginners

Operation Guide

SaaS WAF Connection

Step 1. Add a Domain Name

Step 2. Perform Local Testing

Step 3. Modify DNS Resolution

Step 4. Configure a Security Group

Step 5. Verify the Configuration

CLB WAF Connection

Step 1. Confirm CLB Configuration

Step 2. Bind Domain Name to CLB Instance

Step 3: Verify the configuration

Connect Via Instance Object

Cloud-Native Instance Object Access

Bot and Application Security

Bot Settings

Bot Management

Client Risk Identification

Bot Analytics

Threat Intelligence Module

Bot Flow Statistics Module

Action Settings

Bot Traffic Visibility

Bot Traffic Analysis

Bot Traffic Details

Asset Center

Instance Management

Domain Name List

Advanced Connection Feature

API Asset Management

Basic Security Configurations

IP Blocking Penalty

Region Blocking

CC Protection Rule Settings

Web Tamper Protection

Data Leakage Protection

API Security Management

API Traffic Analysis

Threat Operation

API Event Management

Bot Event Management

Blocklist/Allowlist Protection Settings

Precise Allowlist Management

Traffic Inspection

Statistics and Logs

Sandbox Isolation Status

Practical Tutorial

WAF CCP Overview

Bot Management

Best Practices of Scenario-Based Bot Configuration

Best Practices of Bot Traffic Management Connection

API Security

API Security Practice Tutorial

WAF Working with API Gateway

API Capacity Protection

API Data Security and Enhancement

API Exposure Management

API Behavior Control

Integration

Combined Application of WAF and Anti-DDoS Pro

Applying for and Using Free HTTPS Certificates

Obtaining Real Client IPs

Replacing Certificate

Protection Configuration

Setting CC Protection

Connecting Frontend-Backend Separated Site to WAF CAPTCHA

Setting WAF Exception Alarms in TCOP

API Documentation

Making API Requests

Request Structure

Asset Management APIs

DescribeDomains

Billing APIs

GenerateDealsAndPayNew

DescribeInstances

Protection Settings APIs

Other APIs

IP Management APIs

DeleteIpAccessControlV2

DescribeBatchIpAccessControl

DescribeIpAccessControl

CreateIpAccessControl

ModifyIpAccessControl

ImportIpAccessControl

Integration APIs

DescribeHostLimit

DescribeUserDomainInfo

DescribeCertificateVerifyResult

DescribeTlsVersion

ModifyHostFlowMode

ModifySpartaProtection

AddSpartaProtection

DescribeUserClbWafRegions

RefreshAccessCheckResult

DeleteSpartaProtection

DescribeCiphersDetail

DescribeDomainDetailsClb

DescribeDomainDetailsSaas

ModifyDomainIpv6Status

DescribeVipInfo

Log Service APIs

GetAttackHistogram

GetAttackTotalCount

ModifyDomainPostAction

SearchAttackLog

Security Overview APIs

DescribeAttackType

DescribeHistogram

DescribePeakPoints

DescribePolicyStatus

DescribeTopAttackDomain

DescribeAttackOverview

FAQS

Product Consultation

Connection

Associated Product

Service Level Agreement

WAF Policy

Data Processing And Security Agreement

DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Last updated: 2022-06-23 11:14:26

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Last updated: 2022-06-23 11:14:26

On September 11, 2020, the Apache Software Foundation issued a security advisory to fix the XXE vulnerability in Apache Cocoon (CVE-2020-11991).
Vulnerability Details
Apache Cocoon is a Spring-based framework built around the concepts of separation. All processing jobs under it are linearly connected by predefined processing components, which can process the inputs and generated outputs in a pipeline sequence. Its users include Apache Lenya, Daisy CMS, Hippo CMS, Mindquarry, etc. It is usually used as a data ETL tool or relay for data transfer between systems.
CVE-2020-11991 is related to StreamGenerator. When using the StreamGenerator, Cocoon parses a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
Risk Level
High Risk
Vulnerability Risk
A specially crafted XML, including external system entities, could be used to access any file on the server system.
Affected Versions
Apache Cocoon <= 2.1.12
Suggestions for Fix
The vulnerability has been officially fixed in the new version. Tencent Security recommends you:
Upgrade to the latest version (2.1.13) of Apache Cocoon.
Use Tencent Cloud WAF that supports detection of and defense against XXE vulnerabilities like CVE-2020-11991.
Note: 
Back up your data before installing the patch to avoid accidental losses.
References
Official update notice:
Apache Cocoon
Apache Cocoon 2.2
CVE-2020-11991

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

No

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

7x24 Phone Support