资产安全
商业安全
安全服务
返回- 发布日期2020-09-10
- 感知时间2020-09-10
- 漏洞类型安全更新
- 风险等级中危
- 更新版本 5.x
- 情报贡献TSRC
JMX remote client could execute arbitrary code
CVE-2020-11998: Apache ActiveMQ JMX remote client could execute arbitrary code<br/><br/>Severity: Moderate<br/><br/>Vendor: The Apache Software Foundation<br/><br/>Affected Version: only Apache ActiveMQ 5.15.12<br/><br/>Vulnerability details: <br/>A regression has been introduced in the commit preventing JMX re-bind.<br/>By passing an empty environment map to RMIConnectorServer, instead of the map that contains<br/>he authentication credentials, it leaves ActiveMQ open to the following attack:<br/><br/> https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html<br/><br/>"A remote client could create a javax.management.loading.MLet MBean and use<br/> it to create new MBeans from arbitrary URLs, at least if there is no<br/> security manager. In other words, a rogue remote client could make your<br/> Java application execute arbitrary code."<br/><br/>Mitigation: Upgrade to Apache ActiveMQ 5.15.13<br/><br/>Credit: Jonathan Gallimore & Colm O hEigeartaigh<br/>
Apache ActiveMQ是Apache软件基金会所研发的开放源代码消息中间件;由于ActiveMQ是一个纯Java程序,因此只需要操作系统支持Java虚拟机,ActiveMQ便可执行。
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11998">CVE-2020-11998</a></p>
暂无
暂无
http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
微信扫码关注公众号
