id: CVE-2022-41678
info:
name: Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution
author: maciejklimek
severity: high
description: |
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
impact: |
Authenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: Restrict or disable Jolokia, and upgrade to ActiveMQ version 5.16.6, 5.17.4, 5.18.0, or 6.0.0 with updated Jolokia configuration.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-41678
- https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt
- https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-41678
epss-score: 0.8581
epss-percentile: 0.99699
cwe-id: CWE-502
metadata:
verified: true
max-request: 1
shodan-query: http.title:"ActiveMQ"
fofa-query: title="ActiveMQ"
tags: cve,cve2022,activemq,rce,jolokia,authenticated
http:
- raw:
- |
GET /api/jolokia/list/org.apache.logging.log4j2 HTTP/1.1
Host: {{Hostname}}
Authorization: Basic YWRtaW46YWRtaW4=
Origin: {{RootURL}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "setConfigText"
- "getConfigText"
condition: and
- type: word
part: body
words:
- "org.apache.logging.log4j2"
- type: status
status:
- 200
# digest: 4a0a00473045022100d37d6f104b83d19f74b9f926c82785122ba3ab7cf84b41afcc6ecae0cd5b237402207cef7d60f05fbe1ad65f7ee941a727d480d5eb378c47b1b72c8a3b9c61d3e8aa:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation