CVE-2021-26117: ActiveMQ Unauthorized Access Vulnerability Alert
Apache ActiveMQ is the most popular open-source, multi-protocol, Java-based messaging server. It supports industry-standard protocols so users get the benefits of client choices across a broad range of languages and platforms.
Recently, Apache issued a risk notice on the unauthorized access vulnerability of Apache ActiveMQ, the vulnerability number is CVE-2021-26117. An attacker can use this vulnerability to gain unauthorized access to the system.
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
- Apache ActiveMQ Artemis < 2.16.0
- Apache ActiveMQ < 5.16.1
- Apache ActiveMQ < 5.15.14
- Apache ActiveMQ Artemis >= 2.16.0
- Apache ActiveMQ >= 5.16.1
- Apache ActiveMQ >= 5.15.14
It is recommended that affected users upgrade the new version in time or don’t use anonymous binds in the LDAP configuration to fix the vulnerability.