Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-41678

Disclosure Date: November 28, 2023 •

CVE-2022-41678 CVSS v3 Base Score: 8.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.

In details, in ActiveMQ configurations, jetty allows
org.jolokia.http.AgentServlet to handler request to /api/jolokia

org.jolokia.http.HttpRequestHandler#handlePostRequest is able to
create JmxRequest through JSONObject. And calls to
org.jolokia.http.HttpRequestHandler#executeRequest.

Into deeper calling stacks,
org.jolokia.handler.ExecHandler#doHandleRequest can be invoked
through refection. This could lead to RCE through via
various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.

1 Call newRecording.

2 Call setConfiguration. And a webshell data hides in it.

3 Call startRecording.

4 Call copyTo method. The webshell will be written to a .jsp file.

The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.
A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apache

Products

activemq

References

Canonical

CVE-2022-41678 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41678)

Miscellaneous

https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt

https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl

http://www.openwall.com/lists/oss-security/2023/11/28/1

https://security.netapp.com/advisory/ntap-20240216-0004/

https://www.openwall.com/lists/oss-security/2023/11/28/1

Rapid7

Unknown

CVE-2022-41678

Unknown

Unknown

None

Low

Network

CVE-2022-41678

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-41678

Unknown

Unknown

None

Low

Network

CVE-2022-41678

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification