JMX Port Vulnerability in Apache TomEE Due to Misconfiguration
CVE-2020-13931

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Tomee
Vendor: CVE Published:; 18 December 2020

🔔 Create Apache Vulnerability Alert

What is CVE-2020-13931?

The vulnerability occurs when Apache TomEE is configured to use the embedded ActiveMQ broker and the broker configuration is misconfigured, leading to an open JMX port on TCP port 1099. This port lacks authentication, exposing the management interface to unauthorized access. While a previous vulnerability attempted to address related security issues, it did not sufficiently cover this specific edge case, leaving systems vulnerable if not properly configured.

Affected Version(s)

Apache TomEE Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5

References

https://lists.apache.org/thread.html/ref088c4732e1a8dd0bb...

x_refsource_MISC

https://lists.apache.org/thread.html/r7f98907165b355dc65f...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r85b87478f8aa4751aa3...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2020
Vulnerability Reserved
Jun 8, 2020

.

CVE-2020-13931 : JMX Port Vulnerability in Apache TomEE Due to Misconfiguration