vulnerability
Apache ActiveMQ: CVE-2022-41678: Deserialization vulnerability on Jolokia that allows authenticated users to perform remote code execution (RCE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Nov 28, 2023 | Jan 9, 2024 | Nov 5, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Nov 28, 2023
Added
Jan 9, 2024
Modified
Nov 5, 2025
Description
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Solution
apache-activemq-upgrade-latest
References
- CWE-287
- CVE-2022-41678
- https://attackerkb.com/topics/CVE-2022-41678
- URL-https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt
- URL-https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl
- URL-https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html
- URL-https://security.netapp.com/advisory/ntap-20240216-0004/
- URL-https://www.openwall.com/lists/oss-security/2023/11/28/1
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.