CVE-2020-11998: Apache ActiveMQ JMX Execute Arbitrary Code Vulnerability Alert
Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. It provides “Enterprise Features” which in this case means fostering the communication from more than one client or server. Supported clients include Java via JMS 1.1 as well as several other “cross language” clients. The communication is managed with features such as computer clustering and ability to use any database as a JMS persistence provider besides virtual memory, cache, and journal persistency.
On September 10th, the Apache Software Foundation issued a security bulletin to fix the Apache ActiveMQ remote code execution vulnerability (CVE-2020-11998).
In the configuration, if the user passes an empty environment map that does not contain authentication credentials to RMIConnectorServer, it will make ActiveMQ vulnerable to code injection attacks.
Without the security management configuration, the remote client can create a javax.management.loading.MLet MBean and use it to create a new MBean from any URL. When the user loads a malicious remote client Java application, it will cause arbitrary code execution.
Affected version
Apache ActiveMQ = 5.15.12
Unaffected version
Apache ActiveMQ = 5.15.12
Solution
At present, Apache has fixed the vulnerability in the new version, please the affected users upgrade to Apache ActiveMQ 5.15.13.
