CVE-2020-11998
📋 TL;DR
This vulnerability in Apache ActiveMQ allows remote attackers to execute arbitrary code by exploiting a JMX re-bind regression. Attackers can bypass authentication and use MLet MBeans to load malicious code from arbitrary URLs. All ActiveMQ installations with JMX enabled are affected.
💻 Affected Systems
- Apache ActiveMQ
📦 What is this software?
Activemq by Apache
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, or disrupt messaging services.
If Mitigated
Limited impact if JMX is disabled or properly secured with authentication and network restrictions.
🎯 Exploit Status
Exploitation is straightforward once network access to JMX port is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache ActiveMQ 5.15.13
Vendor Advisory: http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
Restart Required: Yes
Instructions:
1. Download ActiveMQ 5.15.13 or later from Apache website. 2. Stop the ActiveMQ service. 3. Backup configuration files. 4. Replace the installation with the new version. 5. Restore configurations. 6. Start the service.
🔧 Temporary Workarounds
Disable JMX
allDisable JMX management interface to prevent exploitation.
Edit activemq.xml and set useJmx="false" in the broker configuration
Restrict JMX Network Access
linuxUse firewall rules to restrict access to JMX port (default 1099).
iptables -A INPUT -p tcp --dport 1099 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 1099 -j DROP
🧯 If You Can't Patch
- Disable JMX entirely in ActiveMQ configuration
- Implement strict network segmentation and firewall rules to block all external access to JMX port
🔍 How to Verify
Check if Vulnerable:
Check ActiveMQ version: grep 'ActiveMQ' activemq.log or check web console. If version is below 5.15.13 and JMX is enabled, system is vulnerable.Check Version:
java -jar activemq.jar version or check web console at http://localhost:8161Verify Fix Applied:
Verify version is 5.15.13 or higher and test JMX connectivity is properly secured.📡 Detection & Monitoring
Log Indicators:
- Unauthorized JMX connection attempts
- MLet MBean creation in JMX logs
- Unexpected Java class loading from external URLs
Network Indicators:
- Unusual traffic to JMX port (default 1099) from unauthorized sources
- Outbound connections to suspicious URLs initiated by ActiveMQ process
SIEM Query:
source="activemq.log" AND ("JMX" OR "MLet" OR "unauthorized connection")🔗 References
- http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
