ActiveMQ Under Attack: Jolokia RCE Vulnerability Breakdown

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Apache ActiveMQ is a popular open-source message broker used to facilitate communication between different software systems. In November 2023, a remote code execution (RCE) vulnerability (CVE-2022-41678) affecting the Jolokia interface in ActiveMQ was publicly disclosed. The flaw allows authenticated attackers to gain full control of the server by sending specially crafted HTTP requests.

---

Vulnerability Overview

Root Cause

The vulnerability resides in how ActiveMQ handles requests to the Jolokia endpoint (/api/jolokia). When certain configurations are present, and authentication is bypassed or weak, an attacker can leverage Java Management Extensions (JMX) and Jolokia features to execute arbitrary code remotely.

Key components exploited include:

• Jolokia’s HTTP API exposed via AgentServlet
• Java Flight Recorder (JFR) interfaces like newRecording, setConfiguration, copyTo
• log4j2 MBeans (e.g., setConfigText) for dynamic log reconfiguration

Exploitation Flow

1. Authentication bypass or misuse of default credentials.
2. Target /api/jolokia interface using JMX commands.
3. Use Java Flight Recorder or log4j2 MBeans to write a WebShell (e.g., .jsp file) to disk.
4. Access the WebShell to gain remote command execution.

In some cases, attackers were seen manipulating log4j2 configurations to output malicious payloads directly into files accessible via the web server.

---

Affected Versions

• Apache ActiveMQ 5.16.x: versions < 5.16.6
• Apache ActiveMQ 5.17.x: versions < 5.17.4
• Apache ActiveMQ 5.18.0 & 6.0.0: Not affected

---

Mitigation & Fix

Upgrade Now

Apache has released patches addressing this vulnerability. Upgrade to:

• 5.16.6+
• 5.17.4+
• Or preferably move to 5.18.0 or 6.0.0

Official site: https://activemq.apache.org/

Temporary Workarounds

• Disable Jolokia if not in use.
• Restrict access to /api/jolokia to internal, trusted IPs.
• Enable authentication and avoid using default passwords.
• Avoid exposing port 8161 (ActiveMQ Web Console) directly to the public internet.
• Monitor traffic to identify malicious patterns, especially around JMX and logging configurations.

---

Reproduction

---

Product Support

---

Timeline

• Nov 28, 2023: Vulnerability publicly disclosed online
• Nov 29, 2023: Reproduced by Chaitin Security Research
• Nov 29, 2023: Chaitin Emergency Response Advisory released

---

References

• Apache ActiveMQ
• Apache Web Console Docs
• CVE-2022-41678 Record

---

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community