Bug#769887: Apache ActiveMQ Packaged with JMX/RMI Enabled
Georgi Geshev
georgi.geshev at mwrinfosecurity.com
Mon Nov 17 10:41:11 UTC 2014
Package: activemq
Version: 5.6.0+dfsg-1
It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service listening on all network interfaces and allowing for unauthenticated access.
Achieving system command execution is as simple as querying JMX for the RMI registry endpoint port number, setting up a local proxy, deploying and executing a malicious managed bean as outlined in this blog post[1].
It may be worth revising the way you ship ActiveMQ and eventually consider limiting JMX access to localhost.
The commands below bring up ActiveMQ using the default configuration.
$ sudo ln -s /etc/activemq/instances-available/main /etc/activemq/instances-enabled/main
$ sudo /etc/init.d/activemq start
* Starting ActiveMQ instance activemq [ OK ]
$
[1] http://www.accuvant.com/blog/exploiting-jmx-rmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141117/a08b708d/attachment.html>
More information about the pkg-java-maintainers
mailing list