CVE-2020-13931

Name of the Vulnerable Software and Affected Versions Apache TomEE versions 1.0.0 through 1.7.5 Apache TomEE versions 7.0.0-M1 through 7.0.8 Apache TomEE versions 7.1.0 through 7.1.3 Apache TomEE versions 8.0.0-M1 through 8.0.3

Description The issue arises when Apache TomEE is configured to use the embedded ActiveMQ broker with a misconfigured broker setup, resulting in the opening of a JMX port on TCP port 1099 without authentication. This is an edge case that was not covered by a previous fix.

Recommendations For Apache TomEE versions 1.0.0 through 1.7.5, consider disabling the JMX management interface until a proper fix is applied. For Apache TomEE versions 7.0.0-M1 through 7.0.8, restrict access to the JMX port on TCP port 1099 to minimize the risk of exploitation. For Apache TomEE versions 7.1.0 through 7.1.3, avoid using the embedded ActiveMQ broker with a misconfigured setup until the issue is resolved. For Apache TomEE versions 8.0.0-M1 through 8.0.3, as a temporary workaround, consider disabling the embedded ActiveMQ broker until a patch is available.