CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

ActiveMQ Under Attack: Jolokia RCE Vulnerability Breakdown

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Apache ActiveMQ is a popular open-source message broker used to facilitate communication between different software systems. In November 2023, a remote code execution (RCE) vulnerability (CVE-2022-41678) affecting the Jolokia interface in ActiveMQ was publicly disclosed. The flaw allows authenticated attackers to gain full control of the server by sending specially crafted HTTP requests.


Vulnerability Overview

Root Cause

The vulnerability resides in how ActiveMQ handles requests to the Jolokia endpoint (/api/jolokia). When certain configurations are present, and authentication is bypassed or weak, an attacker can leverage Java Management Extensions (JMX) and Jolokia features to execute arbitrary code remotely.

Key components exploited include:

  • Jolokia’s HTTP API exposed via AgentServlet
  • Java Flight Recorder (JFR) interfaces like newRecording, setConfiguration, copyTo
  • log4j2 MBeans (e.g., setConfigText) for dynamic log reconfiguration

Exploitation Flow

  1. Authentication bypass or misuse of default credentials.
  2. Target /api/jolokia interface using JMX commands.
  3. Use Java Flight Recorder or log4j2 MBeans to write a WebShell (e.g., .jsp file) to disk.
  4. Access the WebShell to gain remote command execution.

In some cases, attackers were seen manipulating log4j2 configurations to output malicious payloads directly into files accessible via the web server.


Affected Versions

  • Apache ActiveMQ 5.16.x: versions < 5.16.6
  • Apache ActiveMQ 5.17.x: versions < 5.17.4
  • Apache ActiveMQ 5.18.0 & 6.0.0: Not affected

Mitigation & Fix

Upgrade Now

Apache has released patches addressing this vulnerability. Upgrade to:

  • 5.16.6+
  • 5.17.4+
  • Or preferably move to 5.18.0 or 6.0.0

Official site: https://activemq.apache.org/

Temporary Workarounds

  • Disable Jolokia if not in use.
  • Restrict access to /api/jolokia to internal, trusted IPs.
  • Enable authentication and avoid using default passwords.
  • Avoid exposing port 8161 (ActiveMQ Web Console) directly to the public internet.
  • Monitor traffic to identify malicious patterns, especially around JMX and logging configurations.


Reproduction


Product Support

Product Status
Yuntu Supports fingerprint & detection
Dongjian Supports custom PoC detection
SafeLine Behavior-based detection enabled
Quanxi Updated rule pack supported

Timeline

  • Nov 28, 2023: Vulnerability publicly disclosed online
  • Nov 29, 2023: Reproduced by Chaitin Security Research
  • Nov 29, 2023: Chaitin Emergency Response Advisory released

References


Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

Top comments (0)