Arbitrary Code Execution
Affecting org.apache.activemq:activemq-broker artifact, versions [5.15.12,5.15.13)Report new vulnerabilities
org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.
Affected versions of this package are vulnerable to Arbitrary Code Execution. A regression has been introduced in Apache ActiveMQ while preventing JMX re-bind (CVE-2020-13920). By passing an empty environment map to
RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
A remote client could create a
javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.
org.apache.activemq:activemq-broker to version 5.15.13 or higher.