CVE-2025-27391
📋 TL;DR
Apache ActiveMQ Artemis versions 1.5.1 through 2.39.0 log sensitive broker configuration properties when debug logging is enabled. This exposes credentials, connection strings, and other sensitive data to anyone with log file access. All users running affected versions with debug logging enabled are vulnerable.
💻 Affected Systems
- Apache ActiveMQ Artemis
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative credentials, database connection strings, or encryption keys from logs, leading to complete system compromise, data theft, or lateral movement.
Likely Case
Unauthorized users with log access obtain sensitive configuration details like passwords, enabling further attacks against the broker or connected systems.
If Mitigated
With proper log access controls, only trusted administrators can view logs, limiting exposure to authorized personnel.
🎯 Exploit Status
Exploitation requires access to log files, which typically needs existing system access or misconfigured permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.40.0
Vendor Advisory: https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps
Restart Required: Yes
Instructions:
1. Download Apache ActiveMQ Artemis 2.40.0 or later from official sources. 2. Stop the ActiveMQ Artemis service. 3. Backup configuration and data. 4. Install the new version. 5. Restart the service.
🔧 Temporary Workarounds
Disable Debug Logging
allChange the ConfigurationImpl logger level from DEBUG to INFO or higher to prevent sensitive data logging.
Edit logging configuration (e.g., logging.properties or log4j2.xml) and set logger 'org.apache.activemq.artemis.core.config.impl.ConfigurationImpl' to level INFO or WARN.
Restrict Log File Access
linuxSet file permissions on log directories to allow access only to trusted users.
chmod 750 /path/to/activemq/logs
chown activemq:trustedgroup /path/to/activemq/logs
🧯 If You Can't Patch
- Ensure log files have strict permissions (e.g., 600) and are accessible only to necessary service accounts.
- Monitor log files for unauthorized access attempts and review access controls regularly.
🔍 How to Verify
Check if Vulnerable:
Check if ActiveMQ Artemis version is between 1.5.1 and 2.39.0 and if ConfigurationImpl logger is set to DEBUG in logging configuration.Check Version:
On Linux: artemis version or check artemis.cfg file. On Windows: artemis.cfg in installation directory.Verify Fix Applied:
After upgrade to 2.40.0+, verify version and confirm ConfigurationImpl logger no longer outputs sensitive properties at DEBUG level.📡 Detection & Monitoring
Log Indicators:
- Log entries containing broker properties like passwords, connection strings, or keys when DEBUG logging is enabled.
Network Indicators:
- Unusual access patterns to log files from unauthorized IPs or users.
SIEM Query:
source="activemq.logs" AND "ConfigurationImpl" AND "DEBUG" AND ("password" OR "secret" OR "key")