> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Apache ActiveMQ is a popular open-source message broker used to facilitate communication between different software systems. In November 2023, a remote code execution (RCE) vulnerability (CVE-2022-41678) affecting the Jolokia interface in ActiveMQ was publicly disclosed. The flaw allows authenticated attackers to gain full control of the server by sending specially crafted HTTP requests.
Vulnerability Overview
Root Cause
The vulnerability resides in how ActiveMQ handles requests to the Jolokia endpoint (/api/jolokia
). When certain configurations are present, and authentication is bypassed or weak, an attacker can leverage Java Management Extensions (JMX) and Jolokia features to execute arbitrary code remotely.
Key components exploited include:
- Jolokiaβs HTTP API exposed via
AgentServlet
- Java Flight Recorder (JFR) interfaces like
newRecording
,setConfiguration
,copyTo
- log4j2 MBeans (e.g.,
setConfigText
) for dynamic log reconfiguration
Exploitation Flow
- Authentication bypass or misuse of default credentials.
-
Target
/api/jolokia
interface using JMX commands. - Use
Java Flight Recorder
orlog4j2
MBeans to write a WebShell (e.g.,.jsp
file) to disk. - Access the WebShell to gain remote command execution.
In some cases, attackers were seen manipulating log4j2
configurations to output malicious payloads directly into files accessible via the web server.
Affected Versions
- Apache ActiveMQ 5.16.x: versions < 5.16.6
- Apache ActiveMQ 5.17.x: versions < 5.17.4
- Apache ActiveMQ 5.18.0 & 6.0.0: Not affected
Mitigation & Fix
Upgrade Now
Apache has released patches addressing this vulnerability. Upgrade to:
- 5.16.6+
- 5.17.4+
- Or preferably move to 5.18.0 or 6.0.0
Official site: https://activemq.apache.org/
Temporary Workarounds
- Disable Jolokia if not in use.
-
Restrict access to
/api/jolokia
to internal, trusted IPs. - Enable authentication and avoid using default passwords.
- Avoid exposing port 8161 (ActiveMQ Web Console) directly to the public internet.
- Monitor traffic to identify malicious patterns, especially around JMX and logging configurations.
Reproduction
Product Support
Product | Status |
---|---|
Yuntu | Supports fingerprint & detection |
Dongjian | Supports custom PoC detection |
SafeLine | Behavior-based detection enabled |
Quanxi | Updated rule pack supported |
Timeline
- Nov 28, 2023: Vulnerability publicly disclosed online
- Nov 29, 2023: Reproduced by Chaitin Security Research
- Nov 29, 2023: Chaitin Emergency Response Advisory released
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)