CVE-2023-50780

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Artemis versions prior to 2.29.0

Description The issue is related to the exposure of diagnostic information and controls through MBeans, which are also accessible through the authenticated Jolokia endpoint. This includes the Log4J2 MBean, which is not intended for non-administrative users. An authenticated attacker could exploit this to write arbitrary files to the filesystem, potentially leading to remote code execution.

Recommendations For Apache ActiveMQ Artemis versions prior to 2.29.0, upgrade to version 2.29.0 or later to fix the issue. As a temporary workaround, consider restricting access to the Jolokia endpoint and MBeans to minimize the risk of exploitation. Avoid using the Log4J2 MBean for non-administrative purposes until the issue is resolved.