CVE-2020-11998

Description

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack - A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code. Mitigation - Upgrade to Apache ActiveMQ 5.15.13

How to fix CVE-2020-11998

To remediate CVE-2020-11998, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 5.15.13 or later

Is CVE-2020-11998 being exploited?

Moderate — EPSS is 6.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• >= 5.15.12, <= 5.15.12
• >= 5.15.12, < 5.15.13

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11998
• WEBactivemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
• WEBgithub.com/apache/activemq/commit/0d6e5f2
• WEBgithub.com/apache/activemq/commit/88b78d0
• WEB