1. Executive Summary
Updated: May 2, 2024
JoIn Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).
HYTE MQ customers are not impacted by CVE-2024-32114. HYTE MQ does not deploy the open source REST API as it is not suitable for enterprise use cases given the authentication and authorization is fixed to a single user account.
2. Affected Versions
Apache ActiveMQ affected versions:
Apache ActiveMQ 6.x before 6.1.2
Apache ActiveMQ users are recommended to upgrade to fixed versions:
Apache ActiveMQ 6.1.2 or greater
3. Mitigation Technical Details
To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:
Change
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="*.jsp" />
</bean>
To
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/" />
</bean>
Users using Apache ActiveMQ 6.x (up to v6.1.2) are encouraged to apply the fix to their configuration and restart their ActiveMQ process.
And/Or
We encourage users to upgrade to Apache ActiveMQ 6.1.2 or greater where the default configuration has been updated with authentication by default.
This issue is being tracked as AMQ-9477
4. References
CVE Information:
CVE-2024-32114 | https://www.cve.org/CVERecord?id=CVE-2024-32114
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-32114
CVE-2024-32114 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32114
General References:
5. Contact HYTE
For technical assistance, please open a support ticket in the HYTE Portal
You are solely responsible for determining the appropriateness of using and distributing any publicly available HYTE information and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This information is not intended to be used in any situation where a failure could cause risk of injury or damage to property. This is not intended as legal advice and no warranty is provided with this information. Use at your own risk.
Questions?
Sometimes a 15-minute conversation with a Messaging Platform Architect can help make it all clear. Schedule a meeting for a quick discussion and/or online demo of our platform and tools.