#VU38005 XML External Entity injection in ActiveMQ - CVE-2014-3600

Cybersecurity Help s.r.o.

Published: 2017-10-27 | Updated: 2020-08-08

Vulnerability identifier: #VU38005

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2014-3600

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ActiveMQ
Server applications / Mail servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ActiveMQ: 5.0.0, 5.1.0 - 5.10.0, 5.2.0, 5.3.0 - 5.3.2, 5.4.0 - 5.4.3, 5.5.0 - 5.5.1, 5.6.0, 5.7.0, 5.8.0, 5.9.0 - 5.9.1

External links
https://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
https://seclists.org/oss-sec/2015/q1/427
https://www.securityfocus.com/bid/72510
https://exchange.xforce.ibmcloud.com/vulnerabilities/100722
https://issues.apache.org/jira/browse/AMQ-5333
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA

Multiple vulnerabilities in ActiveMQ