Critical severityNVD Advisory· Published Sep 10, 2020· Updated Aug 4, 2024

CVE-2020-11998

Description

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A regression in Apache ActiveMQ's JMX connector allows unauthenticated remote code execution by passing an empty environment map, bypassing authentication.

Vulnerability

Overview

A regression introduced in a commit intended to prevent JMX re-bind caused the RMIConnectorServer to be created with an empty environment map instead of the map containing authentication credentials [1][2][3][4]. This effectively disables JMX authentication, leaving the connector open to unauthenticated access.

Exploitation

A remote attacker can connect to the JMX connector without any credentials. By using the javax.management.loading.MLet MBean, they can load and instantiate arbitrary MBeans from URLs, leading to arbitrary code execution if no security manager is present [1].

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on the ActiveMQ broker, potentially compromising the entire system and any data it processes [1].

Mitigation

Apache has fixed this issue in ActiveMQ version 5.15.13. Users should upgrade immediately to restore proper authentication. The fix ensures the environment map containing credentials is passed to the RMIConnectorServer [1][2][3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.activemq:activemq-parentMaven	>= 5.15.12, < 5.15.13	5.15.13

Affected products

Apache/ActiveMQdescription
osv-coords2 versions
pkg:bitnami/activemq pkg:maven/org.apache.activemq/activemq-parent
>= 5.15.12, <= 5.15.12+ 1 more
- (no CPE)range: >= 5.15.12, <= 5.15.12
- (no CPE)range: >= 5.15.12, < 5.15.13

Patches

88b78d0

Merge pull request #539 from coheigea/AMQ-7490

https://github.com/apache/activemqJean-Baptiste OnofréMay 23, 2020via ghsa

commit

1 file changed · +1 −2

activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java+1 −2 modified

@@ -587,13 +587,12 @@ private void createConnector(MBeanServer mbeanServer) throws MalformedObjectName
             rmiServer = ""+getConnectorHost()+":" + rmiServerPort;
         }
 
-        final Map<String,Object> env = new HashMap<>();
         server = new RMIJRMPServerImpl(connectorPort, null, null, environment);
 
         final String serviceURL = "service:jmx:rmi://" + rmiServer + "/jndi/rmi://" +getConnectorHost()+":" + connectorPort + connectorPath;
         final JMXServiceURL url = new JMXServiceURL(serviceURL);
 
-        connectorServer = new RMIConnectorServer(url, env, server, ManagementFactory.getPlatformMBeanServer());
+        connectorServer = new RMIConnectorServer(url, environment, server, ManagementFactory.getPlatformMBeanServer());
         LOG.debug("Created JMXConnectorServer {}", connectorServer);
     }

0d6e5f2

AMQ-7490 - Fix JMX regression

https://github.com/apache/activemqColm O hEigeartaighMay 22, 2020via ghsa

commit

1 file changed · +1 −2

activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java+1 −2 modified

@@ -587,13 +587,12 @@ private void createConnector(MBeanServer mbeanServer) throws MalformedObjectName
             rmiServer = ""+getConnectorHost()+":" + rmiServerPort;
         }
 
-        final Map<String,Object> env = new HashMap<>();
         server = new RMIJRMPServerImpl(connectorPort, null, null, environment);
 
         final String serviceURL = "service:jmx:rmi://" + rmiServer + "/jndi/rmi://" +getConnectorHost()+":" + connectorPort + connectorPath;
         final JMXServiceURL url = new JMXServiceURL(serviceURL);
 
-        connectorServer = new RMIConnectorServer(url, env, server, ManagementFactory.getPlatformMBeanServer());
+        connectorServer = new RMIConnectorServer(url, environment, server, ManagementFactory.getPlatformMBeanServer());
         LOG.debug("Created JMXConnectorServer {}", connectorServer);
     }

aa8900c

AMQ-7490 - Fix JMX regression

https://github.com/apache/activemqColm O hEigeartaighMay 22, 2020via ghsa

commit

1 file changed · +1 −2

activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java+1 −2 modified

@@ -587,13 +587,12 @@ private void createConnector(MBeanServer mbeanServer) throws MalformedObjectName
             rmiServer = ""+getConnectorHost()+":" + rmiServerPort;
         }
 
-        final Map<String,Object> env = new HashMap<>();
         server = new RMIJRMPServerImpl(connectorPort, null, null, environment);
 
         final String serviceURL = "service:jmx:rmi://" + rmiServer + "/jndi/rmi://" +getConnectorHost()+":" + connectorPort + connectorPath;
         final JMXServiceURL url = new JMXServiceURL(serviceURL);
 
-        connectorServer = new RMIConnectorServer(url, env, server, ManagementFactory.getPlatformMBeanServer());
+        connectorServer = new RMIConnectorServer(url, environment, server, ManagementFactory.getPlatformMBeanServer());
         LOG.debug("Created JMXConnectorServer {}", connectorServer);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wqfh-9m4g-7x6xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-11998ghsaADVISORY
activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txtghsax_refsource_MISCWEB
github.com/apache/activemq/commit/0d6e5f2ghsaWEB
github.com/apache/activemq/commit/88b78d0ghsaWEB
github.com/apache/activemq/commit/aa8900cghsaWEB
lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3EghsaWEB
lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3EghsaWEB
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000