A flaw was found in AMQ Broker in a way that a XEE attack can used in Broker's configuration files, leading to DoS and information disclosure.
Acknowledgments: Name: Oleg Sushchenko
Exploitability Metrics: Attack Vector Local (AV:L) - The configuration files we are using as our injection are local files, although the AMQ broker itself is tied to the network stack and there is the possibility of some of the configuration files being dynamically generated this would require another attack outside the scope of this vulnerability Attack Complexity Low (AC:L) - The attack is trivial for a privileged local user, they can alter the configuration at will Privileges Required High (PR:H) - The configuration files must be altered by a user with equal or higher privileges to which the AMQ broker itself runs, these are privileges that could be described as significant or administrative User Interaction None (UI:N) A user does not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the AMQ broker reads modified configuration XML Scope Unchanged (S:U) The attacker will not be able to change elements outside of the security scope, for example an attacker will be unable to escape the scope of the executing JVM solely due to this flaw Impact Metrics: Confidentiality Low (C:L) We think the confidentiality is low, as although any files can be targeted by ex-filtration in reality this is limited to a smaller subset of files, which *) Are accessibly under the same privileges as the executing JVM *) Are not special files *) Assuming low attack complexity files with special characters or newlines can not be ex-filtrated *) Depending on error handling enumeration of files is not possible Integrity Low (I:L) SSRF via XXE is generally possible and why integrity impact is not none, however there are mitigating circumstances outside the attackers control such as what other unauthenticated services are accessible, it is not possible to directly edit files with the XXE vulnerability without relying on other mechanisms outside the flaw at a the low attack complexity Availability Low (A:H) A malicious XML configuration file can deny access to that instance of the broker and will constitute a total loss of availability for the service as data durability, load balancing and broker clustering are features we can expect are in use, denying access to one broker may in some circumstances mean a total and persistent service (messaging) outage.