Login Sign Up

CVE-2024-32114

8.5 HIGH
Authentication Bypass

📋 TL;DR

Apache ActiveMQ 6.x has a default configuration vulnerability that leaves the API web context unsecured, allowing unauthenticated access to Jolokia JMX REST API and Message REST API. This affects all users running ActiveMQ 6.x with default settings, enabling unauthorized interaction with the broker and message operations.

💻 Affected Systems

Products:
  • Apache ActiveMQ
Versions: 6.x versions before 6.1.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects default configurations; custom configurations with authentication already enabled are not vulnerable.

📦 What is this software?

Activemq by Apache

View all CVEs affecting Activemq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete broker compromise allowing unauthorized message production/consumption, destination deletion, and potential remote code execution via JMX operations.

🟠

Likely Case

Unauthorized message manipulation, data exfiltration, and broker disruption through message queue operations.

🟢

If Mitigated

No impact if proper authentication is configured or systems are upgraded to patched versions.

🌐 Internet-Facing: HIGH - Directly exposed APIs allow unauthenticated remote attacks.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and uses standard REST API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.2

Vendor Advisory: https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt

Restart Required: Yes

Instructions:

1. Upgrade to ActiveMQ 6.1.2 or later. 2. Restart the ActiveMQ service. 3. Verify authentication is enabled on API endpoints.

🔧 Temporary Workarounds

Manual Configuration Update

all

Add authentication requirement to conf/jetty.xml configuration file

Edit conf/jetty.xml and add: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/" /> </bean>

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to ActiveMQ API ports (typically 8161)
  • Deploy a reverse proxy with authentication in front of ActiveMQ web interface

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://activemq-host:8161/api/jolokia or http://activemq-host:8161/api/message without authentication. If accessible, system is vulnerable.

Check Version:

Check ActiveMQ web console or run: java -jar activemq.jar --version

Verify Fix Applied:

Verify authentication is required when accessing API endpoints. Check ActiveMQ version is 6.1.2 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated API access attempts
  • JMX operations from unauthorized IPs
  • Message operations without user authentication

Network Indicators:

  • HTTP requests to /api/jolokia or /api/message without authentication headers
  • Unusual message queue activity

SIEM Query:

source="activemq" AND (uri_path="/api/jolokia" OR uri_path="/api/message") AND NOT auth_user=*

📊 Metadata

CVE ID: CVE-2024-32114
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
CWE: CWE-1188
Published: May 2, 2024
Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32114, you might also want to check these:

CVE-2025-41672 10.0

This critical vulnerability allows remote unauthenticated attackers to generate valid JWT tokens usi...

Same vulnerability type (CWE-1188)
CVE-2024-2912 10.0

This CVE describes a critical insecure deserialization vulnerability in BentoML that allows remote a...

Same vulnerability type (CWE-1188)
CVE-2024-0001 10.0

A local administrative account intended for initial FlashArray configuration remains active after se...

Same vulnerability type (CWE-1188)