CVE-2020-13931
First published: Thu Dec 17 2020(Updated: )
If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache TomEE | >=1.0.0<=1.7.5 | |
| Apache TomEE | >=7.0.0<=7.0.8 | |
| Apache TomEE | >=7.1.0<=7.1.3 | |
| Apache TomEE | >=8.0.0<=8.0.3 | |
| Apache TomEE | =7.0.0-m1 | |
| Apache TomEE | =7.0.0-m2 | |
| Apache TomEE | =7.0.0-m3 | |
| Apache TomEE | =8.0.0-m1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9%40%3Cdev.tomee.apache.org%3E
Frequently Asked Questions
What is CVE-2020-13931?
CVE-2020-13931 is a vulnerability in Apache TomEE versions 8.0.0-M1 to 8.0.3, 7.1.0 to 7.1.3, 7.0.0-M1 to 7.0.8, and 1.0.0 to 1.7.5 that allows unauthorized access to the JMX port if the embedded ActiveMQ broker is misconfigured.
What software is affected by CVE-2020-13931?
Apache TomEE versions 8.0.0-M1 to 8.0.3, 7.1.0 to 7.1.3, 7.0.0-M1 to 7.0.8, and 1.0.0 to 1.7.5 are affected by CVE-2020-13931.
What is the severity of CVE-2020-13931?
CVE-2020-13931 has a severity rating of 9.8 (critical).
How can I fix CVE-2020-13931?
To fix CVE-2020-13931, ensure that the embedded ActiveMQ broker is properly configured to enable authentication on the JMX port (TCP port 1099). Refer to the Apache TomEE documentation for specific configuration steps.
Where can I find more information about CVE-2020-13931?
You can find more information about CVE-2020-13931 on the Apache TomEE mailing list archives listed in the references section.
- collector/nvd-index
- agent/references
- agent/author
- agent/severity
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomee
- version/apache tomee/1.0.0
- version/apache tomee/1.7.5
- version/apache tomee/7.0.0
- version/apache tomee/7.0.8
- version/apache tomee/7.1.0
- version/apache tomee/7.1.3
- version/apache tomee/8.0.0
- version/apache tomee/8.0.3
- version/apache tomee/7.0.0-m1
- version/apache tomee/7.0.0-m2
- version/apache tomee/7.0.0-m3
- version/apache tomee/8.0.0-m1