VYPR
← All advisories
High severityNVD Advisory· Published May 2, 2024· Updated Aug 2, 2024

Apache ActiveMQ: Jolokia and REST API were not secured with default configuration

CVE-2024-32114

Description

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache ActiveMQ 6.x default configuration lacks authentication for API web context (Jolokia JMX and Message REST APIs), allowing unauthenticated interaction with the broker.

Vulnerability

Description In Apache ActiveMQ 6.x, the default conf/jetty.xml configuration does not secure the API web context, which hosts the Jolokia JMX REST API and the Message REST API [1][2]. This means that no authentication is required to access these endpoints, allowing anyone with network access to interact with the broker's JMX layer or message management interfaces [2].

Exploitation

An attacker can send HTTP requests to the Jolokia JMX REST API to execute JMX operations, such as reading or modifying MBeans, or potentially invoking methods that could lead to code execution. Similarly, the Message REST API can be used to produce, consume, purge, or delete messages and destinations on the broker [1][2]. No authentication credentials are needed, making exploitation straightforward for any attacker who can reach the broker's web interface [4].

Impact

Successful exploitation could allow an attacker to control message queues and topics, disrupt messaging services, and potentially gain deeper access to the broker's internals via JMX. This could lead to data loss, service denial, or further compromise of systems that depend on the broker [2].

Mitigation

Users are advised to either update the conf/jetty.xml file to include a security constraint mapping with pathSpec="/" to require authentication, or upgrade to Apache ActiveMQ 6.1.2, where authentication is enabled by default [1][2][4].

References
  1. AMQ-9477 - Fix Jetty constraint mapping by cshannon · Pull Request #1201 · apache/activemq
  2. NVD - CVE-2024-32114
  3. [AMQ-9477] Secure Jolokia/API by default

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.activemq:apache-activemqMaven
>= 6.0.0, < 6.1.26.1.2

Affected products

1
  • Apache Software Foundation/Apache ActiveMQv5
    Range: 6.0.0

Patches

1
43cc596219b6

Merge pull request #1201 from cshannon/AMQ-9476

https://github.com/apache/activemqJB OnofréApr 10, 2024via ghsa
commit
1 file changed · +1 1
  • assembly/src/release/conf/jetty.xml+1 1 modified
    @@ -49,7 +49,7 @@
     </bean>
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
-        <property name="pathSpec" value="*.jsp" />
+        <property name="pathSpec" value="/" />
     </bean>
     <bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="adminSecurityConstraint" />

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

2