CVE-2024-32114 - Unsecured API Web Context in Apache ActiveMQ 6.x Leading to Unauthorized Access and Manipulation

Overview

Apaches ActiveMQ 6.x series suffers from a critical security vulnerability, assigned CVE ID CVE-2024-32114, where the default configuration does not provide any form of required authentication for user interactions with the application. This security vulnerability has been identified specifically within both the Jolokia JMX REST API and the Message REST API.

As a result, any external party can potentially access, produce, consume, and even delete messages without any form of authorization. This security vulnerability, if left unattended, poses a severe and concerning risk for users of this particular version of Apache ActiveMQ.

To understand the exploitability, let's first dive into the APIs in question

1. Jolokia JMX REST API: This API provides a common way to access and manipulate JMX (Java Management Extensions) beans through REST/HTTP for ActiveMQ. JMX is used for managing and monitoring resources, such as applications, devices, and service-oriented networks, which are represented by objects called MBeans (Managed Beans).

2. Message REST API: ActiveMQ Message REST API allows users to interact with the broker to produce and consume messages, as well as perform actions like purging and deleting destinations.

Here's a simple illustration of how these APIs are accessible without any authentication

// Send a message to a queue
POST http://localhost:8161/api/message/TEST?type=queue&content=message

// Consume a message from a queue
DELETE http://localhost:8161/api/message/TEST?type=queue

Since there is no authentication, anyone with access to the API endpoints can interact with the broker and perform actions.

To effectively mitigate this security vulnerability, users have two options

1. Update the default conf/jetty.xml configuration file to include an authentication requirement. The code snippet below can be added to the file:

<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
  <property name="constraint" ref="securityConstraint" />
  <property name="pathSpec" value="/" />
</bean>

2. Upgrade to Apache ActiveMQ 6.1.2, where the default configuration has been updated to include authentication by default.

Additional References

1. Apache ActiveMQ Official Website
2. Jolokia JMX REST API Documentation

Conclusion

CVE-2024-32114 represents a significant security vulnerability that affects the Apache ActiveMQ 6.x series. Understanding the intricacies and potential impacts of this vulnerability is crucial to ensuring the proper security measures are put in place.

It is highly advised that users take action by either updating their configuration file or upgrading to a patched version of Apache ActiveMQ, thereby mitigating the risks associated with this security vulnerability.

Timeline

Published on: 05/02/2024 09:15:06 UTC
Last modified on: 05/02/2024 13:27:25 UTC