edit-icon download-icon

[Vulnerability notice] ActiveMQ unauthorized access vulnerability

Last Updated: Apr 08, 2018

Vulnerability name

ActiveMQ unauthorized access vulnerability

Vulnerability rating


Vulnerability description

ActiveMQ is a popular open source message server. No security parameters are set for ActiveMQ by default. By using this default configuration vulnerability, attackers can remotely run attack commands to obtain the server permissions, resulting in data leakage.

Condition and method of exploitation

Hackers can exploit the vulnerability on the Internet to gain server permissions remotely.

How to fix or mitigate

ActiveMQ security parameters can be configured on the console or through the backend. The console-based security configuration allows you to log on to the ActiveMQ console using a browser and manage ActiveMQ. You can add user names and passwords. In backend-based security configuration, the program sends messages to ActiveMQ.

  • Do not open the administration backend to the Internet. You can use ECS security group policies for access control. The default policy is to reject all communications. You can only open services that need to be provided to external users based on the service release conditions, and control the access to source IP addresses.

  • Respectively configure the security configuration of the Web console and access security configuration of the queue or topic service for ActiveMQ.

    Note: To avoid data loss, create backups or an ECS disk snapshot before the configuration.

Security settings on the Web console of ActiveMQ

  1. Modify the port number.

    The default user name and password for the ActiveMQ console http://localhost:8161/admin are “admin” and “admin”, respectively. The default port is 8061. The JETTY server is used. Therefore, modify the port and password by modifying JETTY configuration in jetty.xml and jetty-realm.xml.

    1. <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
    2. <property name="name" value="BASIC" />
    3. <property name="roles" value="admin" />
    4. <property name="authenticate" value="true" />
    5. </bean>

    Note: The third attribute “authenticate” must be set to “true”.

    Change the default port to 8189:

    1. <bean id="Server" class="org.eclipse.jetty.server.Server" init-method="start"
    2. destroy-method="stop">
    3. <property name="connectors">
    4. <list>
    5. <bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector">
    6. <property name="port" value="8191" />
    7. </bean>
  2. Change the user name and password to “parry” and “parry123”, respectively. We recommend that you use a strong password that consists of more than 10 characters including digits, letters, and symbols. The user name and password for logging on to the console are stored in the conf/jetty-realm.properties file. The content is as follows:

    1. parry: parry123, admin
    2. user: user, user
    3. ## Format: username: password, [rolename ...]
  3. Set the user name and password to connect to ActiveMQ.

    If you do not set ActiveMQ security policies, anyone who knows the IP address, port, and message address of ActiveMQ can receive and send messages. We recommend that you use the following configuration and add the following content before the <systemUsage> tag in the broker tag of conf/activemq.xml:

    1. <plugins>
    2. <simpleAuthenticationPlugin>
    3. <users>
    4. <authenticationUser username="parry" password="parry123" groups="users,admins"/>
    5. </users>
    6. </simpleAuthenticationPlugin>

    Note: The content must be added before the <systemUsage> tag. Otherwise, an error is reported when ActiveMQ is restarted.

  4. Restart ActiveMQ after all configurations are completed.

For more configuration solutions, see http://activemq.apache.org/security.html.

Thank you! We've received your feedback.