1. XSS: Due to improper user data output validation, several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console. 2. XXE: It is possible for a consumer dequeuing XML message(s) to specify an XPath based selector thus causing the broker to evaluate the expression and attempt to match it against the messages in the queue while also performing an XML external entity resolution. 3. LDAP Wildcard Interpretation: When LDAP authentication is enabled, it is possible for an attacker to supply a wildcard operator instead of a username, which will effectively allow him to brute force a password for an unknown but valid account as opposed to brute forcing a combination of username and password. Once a valid password is found, the attacker can successfully authenticate with LDAP and publish/subscribe to a queue.
Created attachment 970844 [details] description of vulns
Created attachment 970845 [details] AMQ XXE POC
Per discussion with Dejan Bosanac on IRC, no RH fuse products are affected by CVE-2014-8110; it was introduced by a community commit that was never backported. Closing the flaw.