CVE-2021-26118
📋 TL;DR
CVE-2021-26118 is an access control bypass vulnerability in Apache ActiveMQ Artemis where advisory message creation in the OpenWire protocol bypasses policy-based access controls for the entire session. This affects Apache ActiveMQ Artemis 2.15.0 users who rely on policy-based access control for message broker security.
💻 Affected Systems
- Apache ActiveMQ Artemis
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could bypass all policy-based access controls, potentially gaining unauthorized access to sensitive messages, administrative functions, or broker resources, leading to data exposure or system compromise.
Likely Case
Unauthorized users could access messages or broker functions they shouldn't have permission to access, potentially leading to information disclosure or privilege escalation within the messaging system.
If Mitigated
With proper network segmentation and authentication controls, impact would be limited to unauthorized access within the messaging system rather than full system compromise.
🎯 Exploit Status
Exploitation requires access to the OpenWire protocol endpoint and knowledge of advisory message creation, but the bypass mechanism is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.0 and later
Vendor Advisory: https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
Restart Required: Yes
Instructions:
1. Download Apache ActiveMQ Artemis 2.16.0 or later from the official Apache website. 2. Stop the current ActiveMQ Artemis instance. 3. Backup configuration and data. 4. Install the new version. 5. Restore configuration and data. 6. Start the updated instance.
🔧 Temporary Workarounds
Disable OpenWire Protocol
allTemporarily disable the OpenWire protocol to prevent exploitation while planning for patching.
Edit broker.xml and remove or comment out OpenWire acceptor configuration
Network Segmentation
allRestrict network access to ActiveMQ Artemis OpenWire endpoints to trusted sources only.
Use firewall rules to limit access to TCP port 61616 (default OpenWire port) to authorized IP addresses
🧯 If You Can't Patch
- Implement strict network access controls to limit who can connect to the OpenWire protocol endpoints
- Monitor for unusual advisory message creation patterns and implement additional authentication layers
🔍 How to Verify
Check if Vulnerable:
Check if running Apache ActiveMQ Artemis version 2.15.0 and using policy-based access control with OpenWire protocol enabled.Check Version:
Check the version.txt file in the Artemis installation directory or examine startup logs for version information.Verify Fix Applied:
Verify the installed version is 2.16.0 or later by checking the version file or startup logs.📡 Detection & Monitoring
Log Indicators:
- Unusual advisory message creation patterns
- Access control policy violations in logs
- Failed authentication attempts followed by successful advisory operations
Network Indicators:
- Unusual advisory message traffic on OpenWire protocol
- Connection attempts from unauthorized sources to OpenWire endpoints
SIEM Query:
source="activemq-artemis" AND (event_type="advisory_creation" OR message="access control violation")🔗 References
- https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
- https://security.netapp.com/advisory/ntap-20210827-0002/
- https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
- https://security.netapp.com/advisory/ntap-20210827-0002/
