{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-41678","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2022-09-28T07:40:05.138Z","datePublished":"2023-11-28T15:08:38.338Z","dateUpdated":"2025-11-03T21:46:33.574Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.activemq:apache-activemq","product":"Apache ActiveMQ","vendor":"Apache Software Foundation","versions":[{"lessThan":"5.16.6","status":"affected","version":"0","versionType":"semver"},{"lessThan":"5.17.4","status":"affected","version":"5.17.0","versionType":"semver"},{"status":"unaffected","version":"5.18.0"},{"status":"unaffected","version":"6.0.0"}]}],"credits":[{"lang":"en","type":"finder","value":"wangxin@threatbook.cn"},{"lang":"en","type":"finder","value":"wangzhendong@threatbook.cn"},{"lang":"en","type":"finder","value":"honglonglong@threatbook.cn"},{"lang":"en","type":"finder","value":"Matei \"Mal\" Badanoiu"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.&nbsp;<br><br>In details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia<br><br>org.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.<br><br>Into deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n<br><br>\n1 Call newRecording.\n<br>\n2 Call setConfiguration. And a webshell data hides in it.\n<br>\n3 Call startRecording.\n<br>\n4 Call copyTo method. The webshell will be written to a .jsp file.<br><br></span>The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.<br>A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.<br>"}],"value":"Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. \n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"}],"metrics":[{"other":{"content":{"text":"Medium"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-287","description":"CWE-287 Improper Authentication","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2024-05-31T08:42:41.796Z"},"references":[{"tags":["vendor-advisory"],"url":"https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"},{"url":"https://www.openwall.com/lists/oss-security/2023/11/28/1"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0004/"}],"source":{"defect":["AMQ-9201"],"discovery":"UNKNOWN"},"title":"Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"},{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"},{"url":"https://www.openwall.com/lists/oss-security/2023/11/28/1","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20240216-0004/","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T21:46:33.574Z"}}]}}