CVE-2024-32114

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions 6.x through 6.1.1

Description The issue is related to the insecure configuration of the Jolokia JMX REST API and Message REST API in Apache ActiveMQ, which allows unauthorized access due to the lack of authentication procedures. This could enable a remote attacker to read, modify, or delete information. The default configuration does not secure the API web context, allowing anyone to use these layers without authentication. Potentially, anyone can interact with the broker or produce/consume messages.

Recommendations To mitigate the issue, update the default conf/jetty.xml configuration file to add an authentication requirement. Alternatively, upgrade to Apache ActiveMQ 6.1.2, where the default configuration has been updated with authentication by default. As a temporary workaround, consider restricting access to the Jolokia JMX REST API and Message REST API until the issue is resolved.