CVE-2022-41678 – This vulnerability allows authenticated users o... (How to Fix)

Q: What is the severity of CVE-2022-41678?

CVE-2022-41678 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users on Jolokia endpoints in Apache ActiveMQ to execute arbitrary code through JMX MBean operations. Attackers can exploit deserialization flaws in Java Flight Recorder MXBean to write webshells and achieve remote code execution. Systems running vulnerable versions of Apache ActiveMQ with Jolokia enabled are affected.

📋 TL;DR

This vulnerability allows authenticated users on Jolokia endpoints in Apache ActiveMQ to execute arbitrary code through JMX MBean operations. Attackers can exploit deserialization flaws in Java Flight Recorder MXBean to write webshells and achieve remote code execution. Systems running vulnerable versions of Apache ActiveMQ with Jolokia enabled are affected.

💻 Affected Systems

Products:

Apache ActiveMQ

Versions: Versions before 5.16.6, 5.17.4, 5.18.0, and 6.0.0

Operating Systems: All operating systems running Java 11+

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jolokia endpoint enabled and accessible, which is default in many ActiveMQ configurations. Java 11+ is required for the specific FlightRecorderMXBeanImpl exploitation path.

📦 What is this software?

Activemq by Apache

View all CVEs affecting Activemq →

Activemq by Apache

View all CVEs affecting Activemq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the ActiveMQ server, potentially leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to webshell deployment, data exfiltration, and further exploitation of the compromised server.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent access to Jolokia endpoints.

🌐 Internet-Facing: HIGH - Internet-facing ActiveMQ instances with Jolokia enabled are directly exploitable by authenticated attackers.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require internal network access and authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to Jolokia but follows documented steps. Multiple public advisories and discussions confirm weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.16.6, 5.17.4, 5.18.0, 6.0.0

Vendor Advisory: https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt

Restart Required: Yes

Instructions:

1. Download and install patched ActiveMQ version (5.16.6, 5.17.4, 5.18.0, or 6.0.0). 2. Stop ActiveMQ service. 3. Replace installation with patched version. 4. Restart ActiveMQ service. 5. Verify Jolokia configuration restrictions are applied.

🔧 Temporary Workarounds

Disable Jolokia endpoint

all

Remove or disable Jolokia servlet from ActiveMQ configuration to prevent exploitation.

Edit activemq.xml and remove or comment out <bean class="org.jolokia.http.AgentServlet" /> references
Restart ActiveMQ service

Restrict Jolokia access

all

Configure network access controls to limit access to Jolokia endpoints.

Configure firewall rules to block external access to /api/jolokia
Use authentication/authorization mechanisms to restrict access

🧯 If You Can't Patch

Disable Jolokia endpoint completely in ActiveMQ configuration
Implement strict network segmentation and firewall rules to block all access to Jolokia endpoints

🔍 How to Verify

Check if Vulnerable:

Check ActiveMQ version and verify if Jolokia endpoint is accessible at /api/jolokia. Test with authenticated request to see if MBean operations are unrestricted.

Check Version:

Check ActiveMQ console or logs for version information, or run: java -jar activemq.jar --version

Verify Fix Applied:

Verify ActiveMQ version is 5.16.6, 5.17.4, 5.18.0, or 6.0.0. Confirm Jolokia configuration has restrictive policies applied.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api/jolokia endpoint
Jolokia logs showing ExecHandler invocations
FlightRecorderMXBean operations in JMX logs
Unexpected .jsp file creation in web directories

Network Indicators:

HTTP POST requests to /api/jolokia with JSON payloads containing MBean operations
Traffic patterns showing serialized object manipulation

SIEM Query:

source="activemq" AND (url="/api/jolokia" OR message="ExecHandler" OR message="FlightRecorderMXBean")

📊 Metadata

CVE ID: CVE-2022-41678

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 28, 2023

Last Updated: November 3, 2025

🔗 References

https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt Vendor Advisory
https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20240216-0004/
https://www.openwall.com/lists/oss-security/2023/11/28/1
https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt Vendor Advisory
https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html
https://security.netapp.com/advisory/ntap-20240216-0004/
https://www.openwall.com/lists/oss-security/2023/11/28/1

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-41678, you might also want to check these: