Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp590716lqm;
        Wed, 1 May 2024 09:35:12 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXCrtaqKkT3sRJmFAwa1uK3Mz64zzpBakO4gYkMrGX9wqg56qZ7FHmU9Jmpne2VmLEIHOFsLi1v5yjd55W81KittmW17mnXqVzNSgA9RQ==
X-Google-Smtp-Source: AGHT+IGg+LkwWUNyaEJoSMjD/L2kjShYMLBK523MYp5cpuD4OwghHLo180lSyGVTbSw5HNqRfovA
X-Received: by 2002:a17:906:e52:b0:a58:bcfc:79d2 with SMTP id q18-20020a1709060e5200b00a58bcfc79d2mr2135793eji.65.1714581312086;
        Wed, 01 May 2024 09:35:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714581312; cv=none;
        d=google.com; s=arc-20160816;
        b=telK4IyNmXutQHJsUhlsQxznQFHPyzenXndBHcto+qI8nUP+TTGp7glAZOM2FbuRYI
         /HTilBxLwmcOJNZvVfA2RRz0K8HTm0KmyWh4IXEvEboXzE0EHsPVd6jhInjLy/z2x5MN
         +cT2LEMjr8iizshsM64cQ1XPddiwrTEBzHIgBazG70t3kOizp6mj6f1HCK++dpFyNsfH
         gsjKP0TKwab7V2gSA3ntPypdjBzr0qkT0YuuHKebliM8MAz7uM6XEtCtxwEmyVAXxCmU
         ossZ50iB3tXHEyHF+5fu6UosQp7Y0p6mtFoqH9bHEoaRfsqtND99Y5EDFxaXEG8Mpfn5
         XPoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=8kOdiX/l92iE97t7Hn4IxW48yl61WMoXMDfS7wQYmNw=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=LNTqU4mwhEw4rcX4u+m5tolDDJ8Wrrn/HFCTQw/RwpVs645ZVz1y+a0Y7G2gByKl6U
         N8CnBmtS4Zg1Q+tyncG65iyjCWw7LxDbttktboCDxlWHdgRfO+5QeoG1Ei1PMOZJXGUM
         1Drl4jsPSiWJz+ZdbUOXrIV7BGkOAe1bEvCVu5ntMkJVkRKBDODHKF/07xyPPsrBRURL
         FkQgqm8O48ydmKIieFlfdbssb35ovpGfFDRe5JzULuZykAZfW9BQ9vJI6pcKd7oCRi+9
         188zERbxXYO6YcKkxE4Z9KH5Ip0FH61K5Zznu7G3LV0M4Ix8joLwhEwk67R+uC7lSB0I
         ExRQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id qq27-20020a17090720db00b00a525c39ac09si17102438ejb.962.2024.05.01.09.35.12
        for <linux.lists.archive@gmail.com>;
        Wed, 01 May 2024 09:35:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30106-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 1702 invoked by uid 550); 1 May 2024 16:34:53 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 29999 invoked from network); 1 May 2024 16:10:30 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: =?UTF-8?Q?Jean-Baptiste_Onofr=C3=A9?= <jbonofre@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <3109ed27-2555-d49b-2c48-f3e699c5c866@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Wed, 01 May 2024 16:07:22 +0000
MIME-Version: 1.0
Subject: [oss-security] CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not
 secured with default configuration 

Severity: low

Affected versions:

- Apache ActiveMQ 6.0.0 through 6.1.1

Description:

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API =
web context (where the Jolokia JMX REST API and the Message REST API are =
located).
It means that anyone can use these layers without any required =
authentication. Potentially, anyone can interact with the broker (using =
Jolokia JMX REST API) and/or produce/consume messages or purge/delete =
destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file=
 to add authentication requirement:
<bean id=3D"securityConstraintMapping" class=3D"org.eclipse.jetty.security.=
ConstraintMapping">
=C2=A0 <property name=3D"constraint" ref=3D"securityConstraint" />
=C2=A0 <property name=3D"pathSpec" value=3D"/" />
</bean>

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default=
 configuration has been updated with authentication by default.

This issue is being tracked as AMQ-9477=20

Credit:

Martin Zeissig (finder)

References:

https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announc=
ement.txt
https://activemq.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-32114
https://issues.apache.org/jira/browse/AMQ-9477