[Eclipse OpenMQ] Remote Arbitrary File Read

Received on the security mailing list

Hello Eclipse Security Team!

My Name is Camilo G. I’m a professional security researcher and a long-time open source enthusiast. Over the years I’ve reported security issues to companies like Microsoft, PayPal, X, and Cloudflare, among others — I’ve also helped other open source projects be safer by reporting vulnerabilities and today I'll be doing the same for Eclipse's community.

While I was doing an EH service, I found an OpenMQ service running in port 7676. After making some tests I found an Arbitrary File Read vulnerability affecting OpenMQ Brokers service (details in VUL-EE4J-002.pdf). This vulnerability is high impact but it requires authentication to be exploited, this got me to the second vulnerability you will find attached... Default credentials (details in VUL-EE4J-001.pdf) of the OpenMQ's JMS, are by default static, weak and are not forced to be changed after first login.

Due to the kind of service, you may find an important number of exposed OpenMQ services with default credentials across Internet. I’m reaching out to share the details with you in a responsible way and hopefully help make Eclipse's OpenMQ and all the projects using it (Glassfish, Payara, etc) safer.

I’ve prepared two short reports in Github Security Advisory format with:

A clear description of the issue

Proof of concept

Impact assessment (with CVSS score)

Suggested remediation ideas

I’d be happy to answer any questions, provide clarifications, or help retest the vulnerability once it's fixed.

Thanks a lot for your time and for all the work you put into maintaining this project.

Regards.

VUL-EE4J-001-safe.pdf VUL-EE4J-002-safe.pdf

(note: attachments were sanitzed with dangerzone prior to uploading here)

Edited Dec 02, 2025 by Lukas Pühringer

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information