Critical severity9.8NVD Advisory· Published Oct 27, 2017· Updated May 13, 2026

CVE-2014-3579

Description

XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.activemq:apollo-projectMaven	>= 1.0.0, < 1.7.1	1.7.1

Affected products

Apache/Activemq Apollo8 versions
cpe:2.3:a:apache:activemq_apollo:1.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apache:activemq_apollo:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq_apollo:1.7:*:*:*:*:*:*:*

Patches

e5647554e680

https://issues.apache.org/jira/browse/APLO-366 - make xpath parser features configurable

https://github.com/apache/activemq-apolloDejan BosanacAug 26, 2014via ghsa

commit

1 file changed · +41 −1

apollo-selector/src/main/java/org/apache/activemq/apollo/filter/XalanXPathEvaluator.java+41 −1 modified

@@ -25,11 +25,16 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 
 
 public class XalanXPathEvaluator implements XPathExpression.XPathEvaluator {
-
+    public static final String DOCUMENT_BUILDER_FACTORY_FEATURE = "org.apache.activemq.apollo.documentBuilderFactory.feature";
     private final String xpath;
 
     public XalanXPathEvaluator(String xpath) {
@@ -51,7 +56,13 @@ protected boolean evaluate(String text) {
     protected boolean evaluate(InputSource inputSource) {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            setupFeatures(factory);
             factory.setNamespaceAware(true);
+            factory.setIgnoringElementContentWhitespace(true);
+            factory.setIgnoringComments(true);
             DocumentBuilder dbuilder = factory.newDocumentBuilder();
             Document doc = dbuilder.parse(inputSource);
 
@@ -73,4 +84,33 @@ protected boolean evaluate(InputSource inputSource) {
             return false;
         }
     }
+
+    protected void setupFeatures(DocumentBuilderFactory factory) {
+        Properties properties = System.getProperties();
+        List<String> features = new ArrayList<String>();
+        for (Map.Entry<Object, Object> prop : properties.entrySet()) {
+            String key = (String) prop.getKey();
+            if (key.startsWith(DOCUMENT_BUILDER_FACTORY_FEATURE)) {
+                String uri = key.split(DOCUMENT_BUILDER_FACTORY_FEATURE + ":")[1];
+                Boolean value = Boolean.valueOf((String)prop.getValue());
+                try {
+                    factory.setFeature(uri, value);
+                    features.add("feature " + uri + " value " + value);
+                } catch (ParserConfigurationException e) {
+                    throw new RuntimeException("DocumentBuilderFactory doesn't support the feature " + uri + " with value " + value + ", due to " + e);
+                }
+            }
+        }
+        if (features.size() > 0) {
+            StringBuffer featureString = new StringBuffer();
+            // just log the configured feature
+            for (String feature : features) {
+                if (featureString.length() != 0) {
+                    featureString.append(", ");
+                }
+                featureString.append(feature);
+            }
+        }
+
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txtnvdVendor AdvisoryWEB
seclists.org/oss-sec/2015/q1/428nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/72508nvdThird Party AdvisoryVDB Entry
exchange.xforce.ibmcloud.com/vulnerabilities/100721nvdIssue TrackingThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-wmhw-hpwh-44pgghsaADVISORY
issues.apache.org/jira/browse/APLO-366nvdIssue TrackingThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-3579ghsaADVISORY
github.com/apache/activemq-apollo/commit/e5647554e6801a522c508a8eb457979a9af8c398ghsaWEB
lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3EghsaWEB
web.archive.org/web/20150213000202/http://seclists.org/oss-sec/2015/q1/428ghsaWEB
web.archive.org/web/20200228080433/http://www.securityfocus.com/bid/72508ghsaWEB
lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000