Unauthenticated JMX Port Vulnerability in Apache TomEE with Misconfigured ActiveMQ Broker

Unauthenticated JMX Port Vulnerability in Apache TomEE with Misconfigured ActiveMQ Broker

CVE-2020-13931 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.

Learn more about our Cis Benchmark Audit For Apache Http Server.