CVE-2022-41678

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.16.6 Apache ActiveMQ versions prior to 5.17.4 Apache ActiveMQ versions prior to 5.18.0 Apache ActiveMQ versions prior to 6.0.0

Description An authentication flaw in the Jolokia component allows an authenticated user to trigger arbitrary code execution. In ActiveMQ configurations, the Jetty server allows org.jolokia.http.AgentServlet to handle requests to the '/api/jolokia' endpoint. The handlePostRequest() function in org.jolokia.http.HttpRequestHandler can create a JmxRequest via JSONObject and call executeRequest(). Further in the call stack, doHandleRequest() in org.jolokia.handler.ExecHandler can be invoked through reflection. This can lead to remote code execution via various MBeans, such as unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl on Java versions above 11. The exploitation process involves calling newRecording(), setConfiguration() to hide webshell data, startRecording(), and the copyTo method to write the webshell to a .jsp file.

Recommendations Update to Apache ActiveMQ versions 5.16.6, 5.17.4, 5.18.0, or 6.0.0 to apply a more restrictive Jolokia configuration. Disable Jolokia or restrict the authorized actions within Jolokia to minimize the risk of exploitation.