CVE-2020-11969

Name of the Vulnerable Software and Affected Versions: Apache TomEE versions 1.0.0 through 1.7.5 Apache TomEE versions 7.0.0-M1 through 7.0.7 Apache TomEE versions 7.1.0 through 7.1.2 Apache TomEE versions 8.0.0-M1 through 8.0.1

Description: The issue is related to authentication errors in the Apache TomEE server application. Exploitation of this issue may allow a remote attacker to elevate privileges, execute arbitrary code, or cause a denial of service. If Apache TomEE is configured to use the embedded ActiveMQ broker and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099 without authentication.

Recommendations: For Apache TomEE versions 1.0.0 through 1.7.5, consider disabling the JMX port on TCP port 1099 until a patch is available. For Apache TomEE versions 7.0.0-M1 through 7.0.7, restrict access to the embedded ActiveMQ broker to minimize the risk of exploitation. For Apache TomEE versions 7.1.0 through 7.1.2, avoid using the useJMX=true parameter in the broker URI until the issue is resolved. For Apache TomEE versions 8.0.0-M1 through 8.0.1, consider temporarily disabling the embedded ActiveMQ broker until a patch is available.