CVE-2020-11998: Code Injection

September 10, 2020 (updated December 10, 2021)

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

References

activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
nvd.nist.gov/vuln/detail/CVE-2020-11998

Detect and mitigate CVE-2020-11998 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →