October 25, 2020

CVE-2020-11998: Apache ActiveMQ JMX Execute Arbitrary Code Vulnerability Alert

1 min read

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. It provides “Enterprise Features” which in this case means fostering the communication from more than one client or server. Supported clients include Java via JMS 1.1 as well as several other “cross language” clients. The communication is managed with features such as computer clustering and ability to use any database as a JMS persistence provider besides virtual memory, cache, and journal persistency.

The Apache Software Foundation / Apache License 2.0
On September 10th, the Apache Software Foundation issued a security bulletin to fix the Apache ActiveMQ remote code execution vulnerability (CVE-2020-11998).
In the configuration, if the user passes an empty environment map that does not contain authentication credentials to RMIConnectorServer, it will make ActiveMQ vulnerable to code injection attacks.
Without the security management configuration, the remote client can create a javax.management.loading.MLet MBean and use it to create a new MBean from any URL. When the user loads a malicious remote client Java application, it will cause arbitrary code execution.

Affected version

Apache ActiveMQ  =  5.15.12

Unaffected version

Apache ActiveMQ  =  5.15.12

Solution

At present, Apache has fixed the vulnerability in the new version, please the affected users upgrade to Apache ActiveMQ 5.15.13.