FKIE_CVE-2022-41678

Vulnerability from fkie_nvd - Published: 2023-11-28 16:15 - Updated: 2025-11-03 22:16
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
References
security@apache.orghttps://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txtVendor Advisory
security@apache.orghttps://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4slMailing List, Vendor Advisory
security@apache.orghttps://security.netapp.com/advisory/ntap-20240216-0004/
security@apache.orghttps://www.openwall.com/lists/oss-security/2023/11/28/1
af854a3a-2127-422b-91ae-364da2661108https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txtVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4slMailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240216-0004/
af854a3a-2127-422b-91ae-364da2661108https://www.openwall.com/lists/oss-security/2023/11/28/1
Impacted products
Vendor Product Version
apache activemq *
apache activemq *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CD766F1-F0C9-4CFE-85F5-308248C6E44C",
              "versionEndExcluding": "5.16.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0D4F2D0-6707-47EA-BE24-D1B273EF5122",
              "versionEndExcluding": "5.17.4",
              "versionStartIncluding": "5.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"
    },
    {
      "lang": "es",
      "value": "Una vez que un usuario se autentica en Jolokia, potencialmente puede desencadenar la ejecuci\u00f3n de c\u00f3digo arbitrario. En detalles, en las configuraciones de ActiveMQ, jetty permite que org.jolokia.http.AgentServlet maneje la solicitud a /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest puede crear JmxRequest a trav\u00e9s de JSONObject. Y llamadas a org.jolokia.http.HttpRequestHandler#executeRequest. En pilas de llamadas m\u00e1s profundas, org.jolokia.handler.ExecHandler#doHandleRequest puede invocar mediante reflexi\u00f3n. Y luego, RCE se puede lograr a trav\u00e9s de jdk.management.jfr.FlightRecorderMXBeanImpl que existe en la versi\u00f3n de Java superior a 11. 1 Call newRecording. 2 Call setConfiguration. Y en \u00e9l se esconden datos de un webshell. 3 Call startRecording. 4 Call copyTo method. El webshell se escribir\u00e1 en un archivo .jsp. La mitigaci\u00f3n es restringir (de forma predeterminada) las acciones autorizadas en Jolokia o desactivar Jolokia. Se ha definido una configuraci\u00f3n de Jolokia m\u00e1s restrictiva en la distribuci\u00f3n predeterminada de ActiveMQ. Alentamos a los usuarios a actualizar a la versi\u00f3n de distribuciones ActiveMQ, incluida la configuraci\u00f3n actualizada de Jolokia: 5.16.6, 5.17.4, 5.18.0, 6.0.0."
    }
  ],
  "id": "CVE-2022-41678",
  "lastModified": "2025-11-03T22:16:00.520",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-28T16:15:06.840",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"
    },
    {
      "source": "security@apache.org",
      "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"
    },
    {
      "source": "security@apache.org",
      "url": "https://www.openwall.com/lists/oss-security/2023/11/28/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.openwall.com/lists/oss-security/2023/11/28/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.