By listing and inspecting the MBeans exposed by the Jolokia API at http://127.0.0.1:8161/api/jolokia the following attack vectors have been identified:
- Arbitrary File Write using Log4J resulting in Remote Code Execution
- Arbitrary File Read using Log4J
- SSRF using Log4J
- Arbitrary File Overwrite using Java Flight Recorder (RCE is also achievable via the JFR as discovered by the threatbook.cn team)
This vulnerability can be exploited by a local attacker that knows the basic authentication credentials (by default “admin:admin”) used by the ActiveMQ web interface.
The vendor's disclosure for this vulnerability can be found here.
NOTE: This vulnerability is not a "deserialization vulnerability".
This vulnerability requires:
- Valid credentials for user with "admin" role
More details and the exploitation process can be found in this PDF.
YouTube presentation on how to exploit Log4J MBeans over JMX/Jolokia (a.k.a. Log4JMX)
Blog post by Y4tacker explaining how to obtain RCE via the Log4J vector.
Proof of concept code by Owen "phith0n" Gong that exploits both the Log4J and JFR vectors.
Blog post by 淚笑 l3yx explaining how to obtain RCE via the Java Flight Recorder.
- This vulnerability was initially reported to security@apache.org on 20-Jan-2023
- Confirmation that CVE-2022-41678 was allocated for this vulnerability and retest request for ActiveMQ versions 5.17.3 and 5.18.0 on 25-Aug-2023
- Apache discloses CVE-2022-41678 on 28-Nov-2023
- Performed the retest and confirmed that the latest ActiveMQ is no longer vulnerable on 4-Jan-2024
- Publically disclosed the initial report on 29-Nov-2024