CVE-2022-41678
Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Una vez que un usuario se autentica en Jolokia, potencialmente puede desencadenar la ejecución de código arbitrario. En detalles, en las configuraciones de ActiveMQ, jetty permite que org.jolokia.http.AgentServlet maneje la solicitud a /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest puede crear JmxRequest a través de JSONObject. Y llamadas a org.jolokia.http.HttpRequestHandler#executeRequest. En pilas de llamadas más profundas, org.jolokia.handler.ExecHandler#doHandleRequest puede invocar mediante reflexión. Y luego, RCE se puede lograr a través de jdk.management.jfr.FlightRecorderMXBeanImpl que existe en la versión de Java superior a 11. 1 Call newRecording. 2 Call setConfiguration. Y en él se esconden datos de un webshell. 3 Call startRecording. 4 Call copyTo method. El webshell se escribirá en un archivo .jsp. La mitigación es restringir (de forma predeterminada) las acciones autorizadas en Jolokia o desactivar Jolokia. Se ha definido una configuración de Jolokia más restrictiva en la distribución predeterminada de ActiveMQ. Alentamos a los usuarios a actualizar a la versión de distribuciones ActiveMQ, incluida la configuración actualizada de Jolokia: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-28 CVE Reserved
- 2023-11-28 CVE Published
- 2024-06-04 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20240216-0004 |
|
|
| https://www.openwall.com/lists/oss-security/2023/11/28/1 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | < 5.16.6 Search vendor "Apache" for product "Activemq" and version " < 5.16.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | >= 5.17.0 < 5.17.4 Search vendor "Apache" for product "Activemq" and version " >= 5.17.0 < 5.17.4" | - |
Affected
| ||||||