CVE-2021-26117: ActiveMQ Unauthorized Access Vulnerability Alert
Apache ActiveMQ is the most popular open-source, multi-protocol, Java-based messaging server. It supports industry-standard protocols so users get the benefits of client choices across a broad range of languages and platforms.
Recently, Apache issued a risk notice on the unauthorized access vulnerability of Apache ActiveMQ, the vulnerability number is CVE-2021-26117. An attacker can use this vulnerability to gain unauthorized access to the system.
Vulnerability Detail
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
Affected version
- Apache ActiveMQ Artemis < 2.16.0
- Apache ActiveMQ < 5.16.1
- Apache ActiveMQ < 5.15.14
Unaffected version
- Apache ActiveMQ Artemis >= 2.16.0
- Apache ActiveMQ >= 5.16.1
- Apache ActiveMQ >= 5.15.14
Solution
It is recommended that affected users upgrade the new version in time or don’t use anonymous binds in the LDAP configuration to fix the vulnerability.