A distant code execution (RCE) vulnerability that lurked in Apache ActiveMQ Traditional for 13 years could possibly be chained with an older flaw to bypass authentication, Horizon3.ai reviews.
An open supply messaging and Integration Patterns server, Apache ActiveMQ acts as a middleware dealer that handles message queues and is extensively used throughout quite a few industries. ActiveMQ Traditional is the unique model of the dealer.
Tracked as CVE-2026-34197, the newly recognized bug permits attackers to invoke administration operations via the Jolokia API and entice the dealer to retrieve a distant configuration file and execute OS instructions.
In line with Horizon3.ai, the safety defect is a bypass for CVE-2022-41678, a bug that permits attackers to put in writing webshells to disk by invoking particular JDK MBeans.
The repair, the cybersecurity agency explainsadded a flag permitting for all operations on each ActiveMQ MBeans to be callable via Jolokia. The code execution concern was recognized in an operation that units up broker-to-broker bridges at runtime.
The bug’s exploitation, nevertheless, additionally requires focusing on ActiveMQ’s VM transport function, which was designed for embedding a dealer inside an software. This ends in the consumer and dealer speaking instantly throughout the identical JVM.
If a VM transport URI references an inexistent dealer, ActiveMQ creates one and accepts a parameter instructing it to load a configuration that would embrace attacker-supplied URLs.
By chaining the 2 mechanisms, an attacker may trick the dealer into retrieving and operating a Spring XML configuration file that “instantiates all bean definitions, leading to distant code execution,” Horizon3.ai says.
The cybersecurity agency additionally notes that, on some deployments, RCE could possibly be achieved with out authentication by exploiting CVE-2024-32114, which exposes the Jolokia API to unauthenticated customers.
“CVE-2024-32114 is a separate vulnerability in ActiveMQ 6.x the place the /api/* path, which incorporates the Jolokia endpoint, was inadvertently faraway from the net console’s safety constraints. This implies Jolokia is totally unauthenticated on ActiveMQ variations 6.0.0 via 6.1.1,” Horizon3.ai explains.
The newly found safety defect was addressed in ActiveMQ Traditional variations 5.19.4 and 6.2.3. Customers are suggested to replace their deployments as quickly as attainable.
Associated: Hackers Focusing on Ninja Types Vulnerability That Exposes WordPress Websites to Takeover
Associated: Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That May Additionally Supercharge Assaults
Associated: Important Flowise Vulnerability in Attacker Crosshairs
Associated: Extreme StrongBox Vulnerability Patched in Android
#RCE #Bug #Lurked #Apache #ActiveMQ #Traditional #Years
admin, the author behind This Blog, is a passionate tech enthusiast with a keen interest in exploring and sharing insights about the rapidly evolving world of technology.
With a background in Blogging, admin brings a unique perspective to the blog, offering in-depth analyses, reviews, and thought-provoking articles. Committed to making technology accessible to all, i strives to deliver content that not only keeps readers informed about the latest trends but also sparks curiosity and discussions.
Follow me on this exciting tech journey to stay updated and inspired.
