CVE-2022-41678

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-41678
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41678.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-41678
Aliases
Downstream
Published
2023-11-28T15:08:38.338Z
Modified
2026-05-28T04:08:15.678810898Z
Summary
Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
Details

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. 

In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia

org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest.

Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.

1 Call newRecording.

2 Call setConfiguration. And a webshell data hides in it.

3 Call startRecording.

4 Call copyTo method. The webshell will be written to a .jsp file.

The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

Database specific 
{
    "cna_assigner": "apache",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41678.json",
    "cwe_ids": [
        "CWE-287"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "5.16.6"
                },
                {
                    "introduced": "5.17.0"
                },
                {
                    "fixed": "5.17.4"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/apache/activemq

Affected ranges

Type
GIT
Repo
https://github.com/apache/activemq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
18a032865f87bf3a4fe318648a7b3982f7a0785e
Introduced
1f3ccad9bb330cbd7468f9f10ac0b542e7f8b51b
Fixed
720570e96747499af2736b9bb8ffa8692581b678
Database specific 
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.16.6"
        },
        {
            "introduced": "5.17.0"
        },
        {
            "fixed": "5.17.4"
        }
    ]
}

Affected versions

activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.16.0
activemq-5.16.1
activemq-5.16.2
activemq-5.16.3
activemq-5.16.4
activemq-5.16.5
activemq-5.17.0
activemq-5.17.1
activemq-5.17.2
activemq-5.17.3
activemq-5.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41678.json"