CVE-2024-32114

Apache ActiveMQ: Jolokia and REST API were not secured with default configuration

Severity Score

8.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located).
It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/" />
</bean>

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

En Apache ActiveMQ 6.x, la configuración predeterminada no protege el contexto web de la API (donde se encuentran la API REST de Jolokia JMX y la API REST de mensajes). Significa que cualquiera puede utilizar estas capas sin necesidad de autenticación. Potencialmente, cualquiera puede interactuar con el corredor (usando la API REST de Jolokia JMX) y/o producir/consumir mensajes o purgar/eliminar destinos (usando la API REST de mensajes). Para mitigar, los usuarios pueden actualizar el archivo de configuración predeterminado conf/jetty.xml para agregar el requisito de autenticación: O recomendamos a los usuarios que actualicen a Apache ActiveMQ 6.1.2, donde la configuración predeterminada se actualizó con autenticación de forma predeterminada.

*Credits: Martin Zeissig

CVSS Scores

Apachev3.1 8.5

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-11 CVE Reserved
2024-05-02 CVE Published
2024-05-03 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1188: Initialization of a Resource with an Insecure Default

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt	2024-05-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache ActiveMQ Search vendor "Apache Software Foundation" for product "Apache ActiveMQ"				>= 6.0.0 <= 6.1.1 Search vendor "Apache Software Foundation" for product "Apache ActiveMQ" and version " >= 6.0.0 <= 6.1.1"		en		Affected