Skip to content
/ CVE-2023-50780 Public

CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mbadanoiu/CVE-2023-50780

BranchesTags

Repository files navigation

CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis

By listing and inspecting the MBeans exposed by the Jolokia API at http://127.0.0.1:8161/console/jolokia the following attack vectors have been identified:

  • Arbitrary File Write using Log4J indirectly resulting in Remote Code Execution
  • Arbitrary File Read using Log4J
  • DoS using Artemis Broker MBeans

This vulnerability can be exploited by a local attacker that knows the basic authentication credentials used by the Artemis web interface.

Note: If the server is set with "--allow-anonymous", then any non-null user-password combination can be used to authenticate.

Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found here.

Requirements:

This vulnerability requires:

  • Valid credentials for user with "admin" role (if authentication is required)

Proof Of Concept:

As multiple attack vectors have been identified, you can find more details and the exploitation processes of interest in one or more of the following PDFs:

  • The initial report that was sent to the vendor: Apache Artemis - CVE-2023-50780 - Initial Report.pdf. The RCE vector requires:
    • The ability to overwrite the "broker.xml" file as the user running the web server
    • Restarting the entire Artemis application in order for the "broker.xml" changes to take effect (although we can leverage the "forceFailover()" function to close the application, we will still require user interaction from an administrator in order to restart it)
  • Apache Artemis - CVE-2023-50780 - WAR + Restart Vector.pdf. The RCE vector requires:
    • The ability to overwrite one of the WAR files loaded by Artemis (e.g. "activemq-branding.war", "artemis-plugin.war" or "console.war") as the user running the web server
    • Restarting the embedded Jetty Webserver via the "restartEmbeddedWebServer()" function (no user interaction is required as this function can be called by the attacker directly via the Artemis Broker MBean)
  • Apache Artemis - CVE-2023-50780 - JAR + jvmtiAgentLoad.pdf. The RCE vector requires:
    • The ability to write files somewhere on the file system (e.g. "/tmp", "/dev/shm", "C:\Windows\Public", etc.) and leveraging Log4J to write an arbitrary JAR to that location
    • Loading the respective JAR and obtaining RCE via the "jvmtiAgentLoad([Ljava.lang.String;)" function

Additional Resources:

Blogpost by Xu "pyn3rd "Yuanzhen explaining how a JAR arbitrary write + Jolokia can be used to obtain RCE

Timeline:

  • This vulnerability was initially reported to security@apache.org on 14-Feb-2023
  • Apache discloses CVE-2023-50780 on 14-Oct-2024
  • Publically disclosed the initial report and other vectors on 18-Dec-2024

About

CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis

Topics

cve remote-code-execution cves 0-day log4jmx cve-2023-50780

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository