The Log4J component of the Redhat A-MQ application is misconfigured to allow the execution of arbitrary “Script” attributes in the Log4J config. If an attacker finds a way to modify the Log4J config used by A-MQ (e.g. via “setConfigText”), the insertion of malicious JavaScript scripts that will result in Remote Code Execution (RCE).
Note: For exploiting Red Hat AMQ versions > 7.10.2 and < 7.12 refer to CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis.
Vendor did not care ¯\_(ツ)_/¯.
This vulnerability requires:
- Valid credentials for user with "admin" role (if authentication is required)
Note: If the server is set with "--allow-anonymous", then any non-null user-password combination can be used to authenticate.
More details and the exploitation process can be found in this PDF.
Code for exploiting Log4J over Jolokia (a.k.a log4jolokia)
CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis