JBoss HornetQ XML External Entity Data Resolution

A vulnerability was found in JBoss HornetQ which allows an attacker to force the server to parse XML External Entities (XXE). This might allow an attacker to execute commands on the remote server, and disclose the contents of files from the server.

HornetQ is an open source message oriented middleware message broker written in Java. It supports message queuing protocols such as the Streaming Text Oriented Messaging Protocol (STOMP) and the Advanced Message Queuing Protocol (AMQP).

A vulnerability exists in the way HornetQ handles XML formatted messages sent over REST/HTTP which allows an adversary to trigger resolution of XML External Entities.

An attacker that is able to send XML messages to a HornetQ REST service endpoint could use this flaw to read files accessible to the user running the message broker, perform server-side request forgery or Document Type Definition based DoS attacks.

XML parsing as handled by HornetQ does not restrict processing of XML External Entities.

The following configuration directives when added to an application’s web.xml will mitigate the vulnerability.

Alternatively, change the version of RESTEasy to 3.0.9.Final or later when building HornetQ from source. This can be done by editing the Project Object Model (POM) file for the project.

Upgrade HornetQ to version 2.5.0.Final when made available by the vendor or follow the recommended workaround steps.

It was discovered that HornetQ ships with an outdated version of the RESTEasy framework (3.0.4.Final), which is used to dispatch message push and pull requests sent over REST/HTTP. This version of RESTEasy is vulnerable to XXE attacks via XML Parameter Entities as outlined in CVE-2014-3490.

The vulnerability can be triggered by submitting the following to a REST service endpoint via an HTTP POST request.

Where external.dtd is an externally hosted Document Type Definition (DTD) with the following contents.

An adversary would need to set up an HTTP service hosting the external DTD and an FTP or other service to retrieve the file contents using an out-of-band technique. The following is the output from a successful attack using a Python script to simulate the HTTP and FTP services.