Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01M3Y0LTQyZmctZzI4N84AA3Zo
Apache ActiveMQ Deserialization of Untrusted Data vulnerability
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection.
And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01M3Y0LTQyZmctZzI4N84AA3Zo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: about 2 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-53v4-42fg-g287, CVE-2022-41678
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-41678
- https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt
- https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl
- http://www.openwall.com/lists/oss-security/2023/11/28/1
- https://github.com/apache/activemq/pull/958
- https://github.com/apache/activemq/commit/6120169e563b55323352431dfe9ac67a8b4de6c2
- https://security.netapp.com/advisory/ntap-20240216-0004
- https://github.com/apache/activemq/commit/5c8d457d9
- https://github.com/apache/activemq/commit/bf65929fd
- https://github.com/apache/activemq/commit/d8ce1d9ff
- https://github.com/advisories/GHSA-53v4-42fg-g287
Blast Radius: 12.5
Affected Packages
maven:org.apache.activemq:apache-activemq
Dependent packages: 5Dependent repositories: 26
Downloads:
Affected Version Ranges: >= 5.17.0, < 5.17.4, < 5.16.6
Fixed in: 5.17.4, 5.16.6
All affected versions: 4.1.1, 4.1.2, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.11.3, 5.11.4, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.14.4, 5.14.5, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.15.6, 5.15.7, 5.15.8, 5.15.9, 5.15.10, 5.15.11, 5.15.12, 5.15.13, 5.15.14, 5.15.15, 5.15.16, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.17.0, 5.17.1, 5.17.2, 5.17.3
All unaffected versions: 5.16.6, 5.16.7, 5.17.4, 5.17.5, 5.17.6, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2