8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41678

GHSA ID

GHSA-53v4-42fg-g287

EPSS Score

0.98534%

CWE

CWE-287

Published

11/28/2023

Updated

5/31/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41678

CVE-2022-41678: Apache ActiveMQ Deserialization of Untrusted Data vulnerability

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.

In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia

org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest.

Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection.

And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.

1 Call newRecording.

2 Call setConfiguration. And a webshell data hides in it.

3 Call startRecording.

4 Call copyTo method. The webshell will be written to a .jsp file.

The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41678

CVE-2022-41678:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41678

GHSA ID

GHSA-53v4-42fg-g287

EPSS Score

0.98534%

CWE

CWE-287

Published

11/28/2023

Updated

5/31/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.activemq:apache-activemq	maven	< 5.16.6	5.16.6
org.apache.activemq:apache-activemq	maven	>= 5.17.0, < 5.17.4	5.17.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain starts with handlePostRequest processing untrusted JSON to create JmxRequest objects. executeRequest propagates these requests to handlers like ExecHandler, which uses reflection in doHandleRequest to invoke dangerous MBean operations. The patch specifically restricts ExecHandler's capabilities by limiting allowed commands and blocking access to jdk.management.jfr.FlightRecorder MXBean, confirming these functions' role in the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41678: Apache ActiveMQ Deserialization of Untrusted Data vulnerability

CVE-2022-41678:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

8.8

8.8

CVE-2022-41678: Apache ActiveMQ Deserialization of Untrusted Data vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI