Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2022-41678

Published: 28/11/2023 Updated: 16/02/2024
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Apache

Vulnerability Summary

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection. And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache activemq

Vendor Advisories

Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution In details, in ActiveMQ configurations, jetty allows orgjolokiahttpAgentServlet to handler request to /api/jolokia orgjolokiahttpHttpRequestHandler#handlePostRequest is able to create JmxR ...

Mailing Lists

Full Disclosure: CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE <!--X ...

References

CWE-502https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txthttps://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4slhttp://www.openwall.com/lists/oss-security/2023/11/28/1https://security.netapp.com/advisory/ntap-20240216-0004/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2022-41678https://seclists.org/oss-sec/2023/q4/241
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook