CVE-2023-50780 – Apache ActiveMQ Artemis versions before 2.29.0 ... (How to Fix)

Q: What is the severity of CVE-2023-50780?

CVE-2023-50780 has a CVSS score of 8.8 (HIGH). Apache ActiveMQ Artemis versions before 2.29.0 expose the Log4J2 MBean through the authenticated Jolokia endpoint, allowing authenticated non-administrative users to write arbitrary files to the filesystem. This could lead to remote code execution. All users running vulnerable versions are affected.

📋 TL;DR

Apache ActiveMQ Artemis versions before 2.29.0 expose the Log4J2 MBean through the authenticated Jolokia endpoint, allowing authenticated non-administrative users to write arbitrary files to the filesystem. This could lead to remote code execution. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

Apache ActiveMQ Artemis

Versions: All versions before 2.29.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jolokia endpoint to be enabled and accessible to authenticated users.

📦 What is this software?

Activemq Artemis by Apache

View all CVEs affecting Activemq Artemis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker achieves remote code execution on the server, potentially compromising the entire system and data.

🟠

Likely Case

Authenticated attacker writes malicious files to the filesystem, leading to further exploitation or data manipulation.

🟢

If Mitigated

Attack is prevented by proper access controls or network segmentation limiting authenticated user access.

🌐 Internet-Facing: HIGH if Jolokia endpoint is exposed to the internet with authenticated users.

🏢 Internal Only: MEDIUM as it requires authenticated access but could be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to the Jolokia endpoint and knowledge of MBean operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.29.0

Vendor Advisory: https://lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58

Restart Required: Yes

Instructions:

1. Download Apache ActiveMQ Artemis version 2.29.0 or later from the official website. 2. Stop the ActiveMQ Artemis service. 3. Replace the existing installation with the new version. 4. Restart the service.

🔧 Temporary Workarounds

Disable Jolokia endpoint

all

Prevent access to the Jolokia endpoint which exposes the vulnerable MBeans.

Edit broker.xml and set <jolokia-enabled>false</jolokia-enabled>

Restrict access to Jolokia endpoint

all

Use network controls or authentication to limit access to the Jolokia endpoint.

Configure firewall rules or web server authentication to restrict access to the Jolokia endpoint URL

🧯 If You Can't Patch

Implement strict network segmentation to isolate ActiveMQ Artemis from untrusted networks.
Enforce least privilege access controls and monitor for suspicious authenticated user activity.

🔍 How to Verify

Check if Vulnerable:

Check if Jolokia endpoint is accessible and version is below 2.29.0.

Check Version:

Check the Artemis version in logs or run: java -jar artemis.jar version

Verify Fix Applied:

Verify version is 2.29.0 or later and test that Log4J2 MBean is not accessible via Jolokia.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Jolokia endpoint
Suspicious file write operations via MBeans

Network Indicators:

Unusual traffic to Jolokia endpoint from authenticated users

SIEM Query:

source="activemq.log" AND ("jolokia" OR "MBean") AND ("write" OR "execute")

📊 Metadata

CVE ID: CVE-2023-50780

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

Published: October 14, 2024

Last Updated: March 19, 2025

🔗 References

https://lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58 Issue Tracking,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/10/14/2

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50780, you might also want to check these: