Apache TomEE Security Bypass Vulnerability.
Description:
Apache TomEE is prone to a security bypass vulnerability.
The vulnerability is caused due to a misconfiguring issue when configured with the embedded ActiveMQ broker.
An unauthenticated remote attacker can exploit this vulnerability by sending a specially-crafted request.
However, Successful exploitation can enable an attacker to enable a JMX port on TCP port 1099 without authentication.
| CVE ID | CVE-2020-13931 |
| CVSS v3.0 Score | Base Score: 9.8 |
| CVSS v2.0 Score | Base Score: 10 |
| Severity Rating | Critical |
However, Apache has released security updates regarding this vulnerability.
Versions Affected:
Below are the affected Apache TomEE:
- Apache TomEE 8.0.0-M1 – 8.0.3
- Apache TomEE 7.1.0 – 7.1.3
- Apache TomEE 7.0.0-M1 – 7.0.8
- also, Apache TomEE 1.0.0 – 1.7.5
Importantly, CVE-2020-11969 previously addressed the creation of the JMX management interface, however, the incomplete fix did not cover this edge case.
Mitigation:
It is highly recommended to upgrade to the below versions
- Upgrade to TomEE 7.0.9 or later
- Upgrade to TomEE 7.1.4 or later
- Upgrade to TomEE 8.0.4 or later
Follow Us on: Twitter, Instagram, Facebook to get latest security news!
Leave A Comment