CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration
First published: Wed May 01 2024(Updated: )
In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API). To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/" /> </bean> Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.activemq:apache-activemq | >=6.0.0<6.1.2 | 6.1.2 |
| Apache ActiveMQ | >=6.0.0<6.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt
- https://nvd.nist.gov/vuln/detail/CVE-2024-32114
- https://github.com/apache/activemq/pull/1201
- https://github.com/apache/activemq/commit/43cc596219b6a8c8b5a54fbda3fb68cb4424f2d0
- https://issues.apache.org/jira/browse/AMQ-9477
- https://github.com/advisories/GHSA-gj5m-m88j-v7c3 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-32114?
CVE-2024-32114 has a high severity due to the lack of authentication for the Jolokia JMX REST API and Message REST API.
How do I fix CVE-2024-32114?
To fix CVE-2024-32114, configure security settings to require authentication for the API endpoints in Apache ActiveMQ.
Which versions are affected by CVE-2024-32114?
CVE-2024-32114 affects Apache ActiveMQ versions from 6.0.0 to 6.1.2.
What type of attack can be conducted due to CVE-2024-32114?
CVE-2024-32114 allows unauthorized users to interact with the message broker and potentially compromise broker integrity.
Is there a patch available for CVE-2024-32114?
Yes, a patch addressing CVE-2024-32114 is expected in forthcoming updates of Apache ActiveMQ.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-32114
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/type
- agent/references
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gj5m-m88j-v7c3
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/softwarecombine
- agent/event
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/apache
- canonical/apache activemq
- version/apache activemq/6.0.0