Arbitrary Code Execution

Affecting org.apache.activemq:activemq-broker artifact, versions [5.15.12,5.15.13)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

Affected versions of this package are vulnerable to Arbitrary Code Execution. A regression has been introduced in Apache ActiveMQ while preventing JMX re-bind (CVE-2020-13920). By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.

Remediation

Upgrade org.apache.activemq:activemq-broker to version 5.15.13 or higher.

References

CVSS Score

7.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:R
Credit
Unknown
CVE
CVE-2020-11998
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGAPACHEACTIVEMQ-674317
Disclosed
11 Sep, 2020
Published
11 Sep, 2020