CVE-2022-41678: Apache ActiveMQ Deserialization of Untrusted Data vulnerability
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98534%
CWE
Published
11/28/2023
Updated
5/31/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.activemq:apache-activemq | maven | < 5.16.6 | 5.16.6 |
| org.apache.activemq:apache-activemq | maven | >= 5.17.0, < 5.17.4 | 5.17.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability chain starts with handlePostRequest processing untrusted JSON to create JmxRequest objects. executeRequest propagates these requests to handlers like ExecHandler, which uses reflection in doHandleRequest to invoke dangerous MBean operations. The patch specifically restricts ExecHandler's capabilities by limiting allowed commands and blocking access to jdk.management.jfr.FlightRecorder MXBean, confirming these functions' role in the exploit.