{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41678", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-09-28T07:40:05.138Z", "datePublished": "2023-11-28T15:08:38.338Z", "dateUpdated": "2024-08-03T12:49:43.601Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.16.6", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "5.17.4", "status": "affected", "version": "5.17.0", "versionType": "semver"}, {"status": "unaffected", "version": "5.18.0"}, {"status": "unaffected", "version": "6.0.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "wangxin@threatbook.cn"}, {"lang": "en", "type": "finder", "value": "wangzhendong@threatbook.cn"}, {"lang": "en", "type": "finder", "value": "honglonglong@threatbook.cn"}, {"lang": "en", "type": "finder", "value": "Matei \"Mal\" Badanoiu"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.&nbsp;<br><br>In details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia<br><br>org.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.<br><br>Into deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n<br><br>\n1 Call newRecording.\n<br>\n2 Call setConfiguration. And a webshell data hides in it.\n<br>\n3 Call startRecording.\n<br>\n4 Call copyTo method. The webshell will be written to a .jsp file.<br><br></span>The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.<br>A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.<br>"}], "value": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"}], "metrics": [{"other": {"content": {"text": "Medium"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-31T08:42:41.796Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"}, {"url": "https://www.openwall.com/lists/oss-security/2023/11/28/1"}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0004/"}], "source": {"defect": ["AMQ-9201"], "discovery": "UNKNOWN"}, "title": "Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:49:43.601Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"}, {"url": "https://www.openwall.com/lists/oss-security/2023/11/28/1", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CD766F1-F0C9-4CFE-85F5-308248C6E44C", "versionEndExcluding": "5.16.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0D4F2D0-6707-47EA-BE24-D1B273EF5122", "versionEndExcluding": "5.17.4", "versionStartIncluding": "5.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"}, {"lang": "es", "value": "Una vez que un usuario se autentica en Jolokia, potencialmente puede desencadenar la ejecuci\u00f3n de c\u00f3digo arbitrario. En detalles, en las configuraciones de ActiveMQ, jetty permite que org.jolokia.http.AgentServlet maneje la solicitud a /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest puede crear JmxRequest a trav\u00e9s de JSONObject. Y llamadas a org.jolokia.http.HttpRequestHandler#executeRequest. En pilas de llamadas m\u00e1s profundas, org.jolokia.handler.ExecHandler#doHandleRequest puede invocar mediante reflexi\u00f3n. Y luego, RCE se puede lograr a trav\u00e9s de jdk.management.jfr.FlightRecorderMXBeanImpl que existe en la versi\u00f3n de Java superior a 11. 1 Call newRecording. 2 Call setConfiguration. Y en \u00e9l se esconden datos de un webshell. 3 Call startRecording. 4 Call copyTo method. El webshell se escribir\u00e1 en un archivo .jsp. La mitigaci\u00f3n es restringir (de forma predeterminada) las acciones autorizadas en Jolokia o desactivar Jolokia. Se ha definido una configuraci\u00f3n de Jolokia m\u00e1s restrictiva en la distribuci\u00f3n predeterminada de ActiveMQ. Alentamos a los usuarios a actualizar a la versi\u00f3n de distribuciones ActiveMQ, incluida la configuraci\u00f3n actualizada de Jolokia: 5.16.6, 5.17.4, 5.18.0, 6.0.0."}], "id": "CVE-2022-41678", "lastModified": "2024-11-21T07:23:37.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-28T16:15:06.840", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"}, {"source": "security@apache.org", "url": "https://www.openwall.com/lists/oss-security/2023/11/28/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2023/11/28/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2945", "cpe": "cpe:/a:redhat:amq_broker:7.12", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-05-21T00:00:00Z"}, {"advisory": "RHSA-2024:3354", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "activemq", "product_name": "Red Hat Fuse 7.13.0", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:2944", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "amq7/amq-broker-init-rhel8:7.12.0-7", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2024-05-21T00:00:00Z"}, {"advisory": "RHSA-2024:2944", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "amq7/amq-broker-rhel8:7.12.0-7", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2024-05-21T00:00:00Z"}, {"advisory": "RHSA-2024:2944", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "amq7/amq-broker-rhel8-operator-bundle:7.12.0-10", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2024-05-21T00:00:00Z"}], "bugzilla": {"description": "ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE", "id": "2252185", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252185"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n1 Call newRecording.\n2 Call setConfiguration. And a webshell data hides in it.\n3 Call startRecording.\n4 Call copyTo method. The webshell will be written to a .jsp file.\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-41678", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "activemq", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "activemq", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "activemq", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "activemq", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "activemq", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2023-11-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-41678\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41678"], "statement": "This vulnerability is considered moderate severity due to the requirement of authenticated access to exploit the flaw, significantly reducing the risk to systems that enforce strong authentication controls. While it does allow for remote code execution through Jolokia's request handling and Java Management Extensions (JMX), the exploitation pathway is complex and relies on specific conditions, such as the presence of Java 11 or higher and misconfigured or permissive Jolokia settings. an authenticated attacker to achieve remote code execution (RCE) within the ActiveMQ environment.Only an authenticated attacker to achieve remote code execution (RCE) within the ActiveMQ environment. In environments where authentication is well-managed and Jolokia is correctly configured or disabled, the likelihood of successful exploitation is reduced, mitigating the overall impact on system security.", "threat_severity": "Moderate"}