CVE-2024-32114

02.05.2024, 09:15

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located).
It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
 <property name="constraint" ref="securityConstraint" />
 <property name="pathSpec" value="/" />
</bean>

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.5 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
apache	CNA	8.5 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 46%

Vendor	Product	Version
apache	activemq	6.0.0 ≤ 𝑥 < 6.1.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

activemq

bullseye	5.16.1-1 fixed
bullseye (security)	5.16.1-1+deb11u1 fixed
bookworm	5.17.2+dfsg-2+deb12u1 fixed
bookworm (security)	5.17.2+dfsg-2+deb12u1 fixed
sid	5.17.6+dfsg-1 fixed
trixie	5.17.6+dfsg-1 fixed

Common Weakness Enumeration

CWE-1188 - Insecure Default Initialization of Resource
The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt