gsd-2022-41678
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection. And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2022-41678",
    "id": "GSD-2022-41678"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-41678"
      ],
      "details": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\n\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n",
      "id": "GSD-2022-41678",
      "modified": "2023-12-13T01:19:32.482486Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-41678",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache ActiveMQ",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected",
                            "versions": [
                              {
                                "lessThan": "5.16.6",
                                "status": "affected",
                                "version": "0",
                                "versionType": "semver"
                              },
                              {
                                "lessThan": "5.17.4",
                                "status": "affected",
                                "version": "5.17.0",
                                "versionType": "semver"
                              },
                              {
                                "status": "unaffected",
                                "version": "5.18.0"
                              },
                              {
                                "status": "unaffected",
                                "version": "6.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "wangxin@threatbook.cn"
        },
        {
          "lang": "en",
          "value": "wangzhendong@threatbook.cn"
        },
        {
          "lang": "en",
          "value": "honglonglong@threatbook.cn"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\n\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502 Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt",
            "refsource": "MISC",
            "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"
          },
          {
            "name": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2023/11/28/1",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2023/11/28/1"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240216-0004/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"
          }
        ]
      },
      "source": {
        "defect": [
          "AMQ-9201"
        ],
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2CD766F1-F0C9-4CFE-85F5-308248C6E44C",
                    "versionEndExcluding": "5.16.6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B0D4F2D0-6707-47EA-BE24-D1B273EF5122",
                    "versionEndExcluding": "5.17.4",
                    "versionStartIncluding": "5.17.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0\n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\n\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"
          },
          {
            "lang": "es",
            "value": "Una vez que un usuario se autentica en Jolokia, potencialmente puede desencadenar la ejecuci\u00f3n de c\u00f3digo arbitrario. En detalles, en las configuraciones de ActiveMQ, jetty permite que org.jolokia.http.AgentServlet maneje la solicitud a /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest puede crear JmxRequest a trav\u00e9s de JSONObject. Y llamadas a org.jolokia.http.HttpRequestHandler#executeRequest. En pilas de llamadas m\u00e1s profundas, org.jolokia.handler.ExecHandler#doHandleRequest puede invocar mediante reflexi\u00f3n. Y luego, RCE se puede lograr a trav\u00e9s de jdk.management.jfr.FlightRecorderMXBeanImpl que existe en la versi\u00f3n de Java superior a 11. 1 Call newRecording. 2 Call setConfiguration. Y en \u00e9l se esconden datos de un webshell. 3 Call startRecording. 4 Call copyTo method. El webshell se escribir\u00e1 en un archivo .jsp. La mitigaci\u00f3n es restringir (de forma predeterminada) las acciones autorizadas en Jolokia o desactivar Jolokia. Se ha definido una configuraci\u00f3n de Jolokia m\u00e1s restrictiva en la distribuci\u00f3n predeterminada de ActiveMQ. Alentamos a los usuarios a actualizar a la versi\u00f3n de distribuciones ActiveMQ, incluida la configuraci\u00f3n actualizada de Jolokia: 5.16.6, 5.17.4, 5.18.0, 6.0.0."
          }
        ],
        "id": "CVE-2022-41678",
        "lastModified": "2024-02-16T13:15:09.380",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-11-28T16:15:06.840",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/28/1"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Vendor Advisory"
            ],
            "url": "https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl"
          },
          {
            "source": "security@apache.org",
            "url": "https://security.netapp.com/advisory/ntap-20240216-0004/"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-502"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.