IssueDescription: It was discovered that Apache ActiveMQ Apollo performed XML External Entity (XXE) expansion when evaluating XPath expressions. A remote, attacker-controlled consumer able to specify an XPath-based selector to dequeue XML messages from an Apache ActiveMQ Apollo broker could use this flaw to read files accessible to the user running the broker, and potentially perform other more advanced XXE attacks.
Upstream Issue: https://issues.apache.org/jira/browse/APLO-366 Upstream Commit: http://git-wip-us.apache.org/repos/asf/activemq-apollo/commit/e5647554
Acknowledgements: Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
Statement: Not vulnerable. Apache ActiveMQ Apollo is not shipped with any supported Red Hat product.