CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis# CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis
By listing and inspecting the MBeans exposed by the Jolokia API at http://127.0.0.1:8161/console/jolokia the following attack vectors have been identified:
- Arbitrary File Write using Log4J indirectly resulting in Remote Code Execution
- Arbitrary File Read using Log4J
- DoS using Artemis Broker MBeans
This vulnerability can be exploited by a local attacker that knows the basic authentication credentials used by the Artemis web interface.
**Note:** If the server is set with "--allow-anonymous", then any non-null user-password combination can be used to authenticate.
### Vendor Disclosure:
The vendor's disclosure for this vulnerability can be found [here](https://lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58).
### Requirements:
This vulnerability requires:
<br/>
- Valid credentials for user with "admin" role (if authentication is required)
### Proof Of Concept:
As multiple attack vectors have been identified, you can find more details and the exploitation processes of interest in one or more of the following PDFs:
- The initial report that was sent to the vendor: [Apache Artemis - CVE-2023-50780 - Initial Report.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20Initial%20Report.pdf). The RCE vector requires:
- The ability to overwrite the "broker.xml" file as the user running the web server
- Restarting the entire Artemis application in order for the "broker.xml" changes to take effect (although we can leverage the "forceFailover()" function to close the application, we will still require user interaction from an administrator in order to restart it)
- [Apache Artemis - CVE-2023-50780 - WAR + Restart Vector.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20WAR%20%2B%20Restart%20Vector.pdf). The RCE vector requires:
- The ability to overwrite one of the WAR files loaded by Artemis (e.g. "activemq-branding.war", "artemis-plugin.war" or "console.war") as the user running the web server
- Restarting the embedded Jetty Webserver via the "restartEmbeddedWebServer()" function (no user interaction is required as this function can be called by the attacker directly via the Artemis Broker MBean)
- [Apache Artemis - CVE-2023-50780 - JAR + jvmtiAgentLoad.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20JAR%20%2B%20jvmtiAgentLoad.pdf). The RCE vector requires:
- The ability to write files somewhere on the file system (e.g. "/tmp", "/dev/shm", "C:\Windows\Public", etc.) and leveraging Log4J to write an arbitrary JAR to that location
- Loading the respective JAR and obtaining RCE via the "jvmtiAgentLoad([Ljava.lang.String;)" function
### Additional Resources:
[Blogpost](https://blog.pyn3rd.com/2022/11/15/A-New-Way-of-Jolokia-Remote-Code-Execution/) by [Xu "pyn3rd "Yuanzhen](https://github.com/pyn3rd) explaining how a JAR arbitrary write + Jolokia can be used to obtain RCE
### Timeline:
- This vulnerability was initially reported to security@apache.org on 14-Feb-2023
- Apache discloses CVE-2023-50780 on 14-Oct-2024
- Publically disclosed the initial report and other vectors on 18-Dec-2024
[4.0K] /data/pocs/9bed6af12c603b0a5d441e4329f0de8bb5b1f5ef
├── [1.4M] Apache Artemis - CVE-2023-50780 - Initial Report.pdf
├── [2.0M] Apache Artemis - CVE-2023-50780 - JAR + jvmtiAgentLoad.pdf
├── [1.8M] Apache Artemis - CVE-2023-50780 - WAR + Restart Vector.pdf
└── [3.2K] README.md
0 directories, 4 files