ActiveMQ 5.166.0 vulnerable Jolokia RCE via unrestricted deserialization
CVE-2022-41678 Published on November 28, 2023
Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2022-41678 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2022-41678
stack.watch emails you whenever new vulnerabilities are published in Apache ActiveMQ or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache ActiveMQ:- Before 5.16.6 is affected.
- Version 5.17.0 and below 5.17.4 is affected.
- Version 5.18.0 is unaffected.
- Version 6.0.0 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.