Apache ActiveMQ and ActiveMQ Apollo XML External Entity Data Parsing

The Apache ActiveMQ and ActiveMQ Apollo messaging brokers are susceptible to XML external entities attacks when handling subscriptions with XPath based selectors.

Apache ActiveMQ is an open source message-oriented middleware messaging broker. ActiveMQ supports various message queueing protocols, such as Message Queue Telemetry Transport (MQTT), Advanced Message Queuing Protocol (AMQP), and Streaming Text Oriented Messaging Protocol (STOMP).

A vulnerability was identified in ActiveMQ in the way it handles content-based subscriptions which allows an adversary to trigger processing of XML external entities (XXE). Apache ActiveMQ Apollo, which is another MQ implementation built for reliability and performance and originally based on ActiveMQ, was also found to be affected by this vulnerability.

This vulnerability was found to affect Apache ActiveMQ versions 5.0.0 to 5.10.0 and Apache ActiveMQ Apollo 1.0 to 1.7.

An attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server.

XML parsing, as handled by ActiveMQ, does not restrict processing of XML external entities.

If using ActiveMQ, upgrade to version 5.11.0 or later. For ActiveMQ Apollo, upgrade to version 1.7.1 or later.

MQ selectors allow for attaching a filter to a subscription when performing content based message routing. Apache ActiveMQ supports two types of MQ selectors. These are JMS selectors expressed in SQL-92 syntax for messages with message properties and XPath selectors for messages with XML bodies.

It is possible for a consumer dequeuing XML messages to specify an XPath-based selector, thereby causing the broker to evaluate the XPath expression in an attempt to match it against the messages in the queue while also performing XML external entities resolution.

In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer. The following is an attack pattern which will result in triggering the XXE resolution:

1. A publisher enqueues an XML message which references external XML entities.
2. A consumer requests dequeuing an XML message from the same queue using an XPath-based selector.
3. The broker evaluates the XPath expression and attempts to match it against the messages in the queue while also resolving any external entity references.

The vulnerable code responsible for handling XPath based selectors is part of the org.apache.activemq.filter package which consists of two virtually identical classes, namely JAXPXPathEvaluator and XalanXPathEvaluator. The following is a snippet of the former where XML parsing occurs with processing of external entities:

An adversary would need to set up an HTTP service hosting the external DTD and an FTP or other service to retrieve the file contents using an out-of-band technique. The following is the output from a successful attack using a Python script to simulate the HTTP and FTP services.

1. Attack Execution

2. Out-of-Band File Retrieval