Apache Qpid XML Document Type Definitions Processing

Product Apache Qpid
Severity Medium
CVE Reference CVE-2014-3629
Type Apache Qpid XML Document Type Definitions Processing

A vulnerability was found in Apache Qpid which allows an attacker to force the server to parse an external Document Type Definition (DTD). This might allow an attacker to cause a Denial of Service (DoS) for applications using the message queue.

The advisory can be downloaded here.

Description

Apache Qpid is an open source message oriented middleware message broker. Qpid provides Java and C++ implementations of the Advanced Message Queuing Protocol (AMQP).

A vulnerability exists in the C++ broker implementation which allows an adversary to reference externally defined Document Type Definitions.

Impact

An attacker able to interact and send XML messages to a Qpid service endpoint could use this flaw to induce the service to perform HTTP requests. This can be used to perform server-side request forgery or DTD-based DoS attacks.

Cause

XML parsing as handled by Qpid does not restrict processing of externally defined XML Document Type Definitions.

Interim Workaround

The XML message exchange functionality can be disabled by removing the xml.so compiled binary module file from the Qpid modules directory.

Solution

Upgrade to Apache Qpid version 0.31 when made available by the vendor.

Technical Details

An adversary can trigger the processing of externally referenced Document Type Definitions when requesting a content based subscription to a message queue which holds XML formatted messages.

It is possible for a consumer dequeuing XML message(s) to specify an XQuery selector, thereby causing the broker to evaluate the XQuery expression in an attempt to match it against the messages in the queue while also performing XML Document Type Definition resolution.

Document Type Definition resolution occurs in the process of XML parsing and triggered in the following function implemented in XmlExchange.cpp:

bool XmlExchange::matches(Query& query,
                          Deliverable& msg,
                          bool parse_message_content)
{
    std::string msgContent;

    try {
        ...
        boost::scoped_ptr<DynamicContext> context(query->createDynamicContext());
        ...
        if (parse_message_content) {
            msgContent = msg.getMessage().getContent();
            QPID_LOG(trace, "matches: message content is [" << msgContent << "]");
            XERCES_CPP_NAMESPACE::MemBufInputSource xml((const XMLByte*) msgContent.c_str(), msgContent.length(), "input");
            Sequence seq(context->parseDocument(xml));
            ...
    }
    ...
    return 0;
}

In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer. The following is an attack pattern which will result in triggering the DTD resolution process:

  1. A publisher enqueues an XML message which references externally defined Document Type Definitions.
  2. A consumer requests dequeuing an XML message from the same queue using an XQuery based selector.
  3. The broker evaluates the XQuery expression and attempts to match it against the messages in the queue while also processing any Document Type Definition references.

The exploitation and impact of this vulnerability depend on the underlying XML parser. Apache Qpid supports the Xerces and FastXDM parsers, with Xerces being used by default. It was confirmed that a default setup of Apache Qpid with Xerces is vulnerable to server-side request forgery.

Detailed Timeline

Date Summary
2014-10-31 Reported to Apache and Red Hat
2014-10-31 Red Hat confirms reception
2014-11-05 Red Hat confirms the vulnerability and prepares fix
2014-11-07 Public fix released
2014-12-12 Advisory published