CVE-2020-11998

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.15.13

Description The issue is related to a regression introduced in a commit that prevents JMX re-bind, allowing a remote client to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs if there is no security manager. This could enable a rogue remote client to make the Java application execute arbitrary code.

Recommendations Upgrade to Apache ActiveMQ 5.15.13 to resolve the issue. As a temporary workaround, consider restricting access to the RMIConnectorServer to minimize the risk of exploitation. Avoid passing an empty environment map to RMIConnectorServer, and ensure that the map contains the necessary authentication credentials.