CVE-2020-13931
📋 TL;DR
This vulnerability in Apache TomEE exposes an unauthenticated JMX port (TCP 1099) when using a misconfigured embedded ActiveMQ broker. Attackers can remotely execute arbitrary code, manipulate server configurations, or access sensitive data. Affects TomEE versions 1.0.0-1.7.5, 7.0.0-M1-7.0.8, 7.1.0-7.1.3, and 8.0.0-M1-8.0.3.
💻 Affected Systems
- Apache TomEE
📦 What is this software?
Tomee by Apache
Tomee by Apache
Tomee by Apache
Tomee by Apache
Tomee by Apache
Tomee by Apache
Tomee by Apache
Tomee by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Unauthorized access to JMX management interface allowing configuration changes, service disruption, and potential privilege escalation.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent access to the exposed JMX port.
🎯 Exploit Status
Exploitation requires network access to port 1099 and knowledge of JMX exploitation techniques, which are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TomEE 8.0.4, 7.1.4, 7.0.9, 1.7.6
Vendor Advisory: https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4%40%3Cdev.tomee.apache.org%3E
Restart Required: Yes
Instructions:
1. Download patched version from Apache TomEE website. 2. Backup current configuration. 3. Stop TomEE service. 4. Replace TomEE installation with patched version. 5. Restore configuration. 6. Restart TomEE service.
🔧 Temporary Workarounds
Disable JMX or add authentication
allConfigure TomEE to disable JMX or enable authentication for JMX connections
Edit tomee.xml or system.properties to set -Dcom.sun.management.jmxremote.authenticate=true and configure proper credentials
Block port 1099 at firewall
allPrevent external access to the vulnerable JMX port
iptables -A INPUT -p tcp --dport 1099 -j DROP
netsh advfirewall firewall add rule name="Block TomEE JMX" dir=in action=block protocol=TCP localport=1099
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TomEE servers from untrusted networks
- Deploy host-based firewall rules to block all inbound connections to port 1099
🔍 How to Verify
Check if Vulnerable:
Check if TomEE is listening on port 1099 without authentication: netstat -an | grep 1099 and test JMX connection without credentials using jconsole or similar tool.Check Version:
Check TomEE version: grep "tomee.version" in tomee/conf/tomee.xml or run java -jar tomee/lib/catalina.jar versionVerify Fix Applied:
After patching, verify port 1099 is not open or requires authentication. Test JMX connection attempts fail without proper credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthorized JMX connection attempts in TomEE logs
- JMX authentication failures
Network Indicators:
- Unexpected connections to TCP port 1099
- JMX protocol traffic from untrusted sources
SIEM Query:
source_port=1099 OR (protocol="JMX" AND authentication_status="failed")🔗 References
- https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E
