Missing authorization in ActiveMQ

#VU89096 Missing authorization in ActiveMQ

Published: 2024-05-01

Vulnerability identifier: #VU89096

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-32114

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ActiveMQ
Server applications / Mail servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to missing authorization in the application's REST API. A remote attacker can interact with the broker using Jolokia JMX REST API and produce/consume messages or purge/delete destinations using the Message REST API.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ActiveMQ: 6.1.0 - 6.1.1, 6.0.0 - 6.0.1

External links
http://activemq.apache.org/security-advisories.data/CVE-2024-32114
http://issues.apache.org/jira/browse/AMQ-9477

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

Missing authorization in Apache ActiveMQ