Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41678 PoC — Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE

Source
https://github.com/mbadanoiu/CVE-2022-41678
Associated Vulnerability
Title:Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE (CVE-2022-41678)
Description:Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Description
CVE-2022-41678: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ
Readme
# CVE-2022-41678: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ

By listing and inspecting the MBeans exposed by the Jolokia API at http://127.0.0.1:8161/api/jolokia the following attack vectors have been identified:
- Arbitrary File Write using Log4J resulting in Remote Code Execution
- Arbitrary File Read using Log4J
- SSRF using Log4J
- Arbitrary File Overwrite using Java Flight Recorder (RCE is also achievable via the JFR as discovered by the threatbook.cn team)

This vulnerability can be exploited by a local attacker that knows the basic authentication credentials (by default “admin:admin”) used by the ActiveMQ web interface.

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt).

**NOTE**: This vulnerability is not a "deserialization vulnerability".

### Requirements:

This vulnerability requires:
<br/>
- Valid credentials for user with "admin" role

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2022-41678/blob/main/Apache%20ActiveMQ%20-%20CVE-2022-41678.pdf).

### Additional Resources:

[YouTube presentation](https://www.youtube.com/watch?v=Hy4ufEfabRA) on how to exploit Log4J MBeans over JMX/Jolokia (a.k.a. Log4JMX)

[Blog post](https://y4tacker.github.io/2023/11/30/year/2023/11/%E6%9F%90%E7%B3%BB%E7%BB%9F%E6%9C%80%E6%96%B0%E5%89%8D%E5%8F%B0RCE%E5%88%86%E6%9E%90/Apache-ActiveMQ-Jolokia%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%B8%8D%E4%BE%9D%E8%B5%96JDK%E6%89%93%E6%B3%95/) by [Y4tacker](https://github.com/Y4tacker) explaining how to obtain RCE via the Log4J vector.

[Proof of concept code](https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2022-41678) by [Owen "phith0n" Gong](https://github.com/phith0n) that exploits both the Log4J and JFR vectors.

[Blog post](https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/) by [淚笑 l3yx](https://github.com/l3yx) explaining how to obtain RCE via the Java Flight Recorder.

### Timeline:
- This vulnerability was initially reported to security@apache.org on 20-Jan-2023
- Confirmation that CVE-2022-41678 was allocated for this vulnerability and retest request for ActiveMQ versions 5.17.3 and 5.18.0 on 25-Aug-2023
- Apache discloses CVE-2022-41678 on 28-Nov-2023
- Performed the retest and confirmed that the latest ActiveMQ is no longer vulnerable on 4-Jan-2024
- Publically disclosed the initial report on 29-Nov-2024
File Snapshot

 [4.0K]  /data/pocs/3d666b505b1850f1d7bccfc2639a5e27fc4a26c9
├── [1.7M]  Apache ActiveMQ - CVE-2022-41678.pdf
└── [2.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →