CVE-2020-11998 — Vulnetix

CVE-2020-11998 PUBLISHED

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13

EPSS 6.91% · 91.6th percentile

Risk Scores

EPSS Score

6.91%

91.6th percentile

Affected Products

Vendor	Product	Versions
Bitnami	activemq	5.15.12, 5.15.12, 5.15.12
Bitnami	activemq	5.15.12

Exploit Intelligence

shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
shoucheng3/apache__activemq_CVE-2020-11998_5-15-12 (github-poc)
CIRCL seen: CVE-2020-11998 (circl-sighting)
https://www.oracle.com/security-alerts/cpujan2021.html (circl)

…and 6 more exploits

Timeline

Sep 10, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Jul 21, 2021 EPSS Score
Oct 21, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Nov 6, 2022 EPSS Score
Jan 8, 2023 EPSS Score

References

Open in Interactive Console →