1840862 – (CVE-2020-14379) CVE-2020-14379 Red Hat AMQ broker: XXE injection in configuration files

Bug 1840862 (CVE-2020-14379) - CVE-2020-14379 Red Hat AMQ broker: XXE injection in configuration files

Summary: CVE-2020-14379 Red Hat AMQ broker: XXE injection in configuration files

Keywords:
Status:	NEW
Alias:	CVE-2020-14379
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1840360
TreeView+	depends on / blocked

Reported:	2020-05-27 18:12 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-07 08:33 UTC (History)
CC List:	10 users (show)
See Also:	https://issues.redhat.com/browse/ENTMQBR-3835
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in broker. An XEE attack can used in Broker's configuration files, leading to DoS and information disclosure. The highest threat from the vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-05-27 18:12:06 UTC

A flaw was found in AMQ Broker in a way that a XEE attack can used in Broker's configuration files, leading to DoS and information disclosure.

Comment 1 Jonathan Christison 2020-05-28 09:11:59 UTC

Acknowledgments:

Name: Oleg Sushchenko

Comment 9 Jonathan Christison 2021-11-04 09:44:30 UTC

Exploitability Metrics: 

Attack Vector Local (AV:L) -
The configuration files we are using as our injection are local files, although the AMQ broker itself is tied to the network stack and there is the possibility of some of the configuration files being dynamically generated this would require another attack outside the scope of this vulnerability 

Attack Complexity Low (AC:L) -
The attack is trivial for a privileged local user, they can alter the configuration at will 

Privileges Required High (PR:H) -
The configuration files must be altered by a user with equal or higher privileges to which the AMQ broker itself runs, these are privileges that could be described as significant or administrative 

User Interaction None (UI:N)
A user does not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the AMQ broker reads modified configuration XML

Scope Unchanged (S:U)
The attacker will not be able to change elements outside of the security scope, for example an attacker will be unable to escape the scope of the executing JVM solely due to this flaw
 
Impact Metrics:

Confidentiality Low (C:L)
We think the confidentiality is low, as although any files can be targeted by ex-filtration in reality this is limited to a smaller subset of files, which 

*) Are accessibly under the same privileges as the executing JVM
*) Are not special files
*) Assuming low attack complexity files with special characters or newlines can not be ex-filtrated
*) Depending on error handling enumeration of files is not possible 

Integrity Low (I:L) 
SSRF via XXE is generally possible and why integrity impact is not none, however there are mitigating circumstances outside the attackers control such as what other unauthenticated services are accessible, it is not possible to directly edit files with the XXE vulnerability without relying on other mechanisms outside the flaw at a the low attack complexity

Availability Low (A:H)
A malicious XML configuration file can deny access to that instance of the broker and will constitute a total loss of availability for the service as data durability, load balancing and broker clustering are features we can expect are in use, denying access to one broker may in some circumstances mean a total and persistent service (messaging) outage.

Note You need to log in before you can comment on or make changes to this bug.