Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Authenticated RCE vulnerability via ActiveMQ Minion payload deserialization

Description

The disclosing researcher writes:

I began to have a look at your software (suite) OpenNMS. Yesterday, I found that one could get Remote Code Execution (RCE) via malicious MQ messages
on the Horizon base station from a remote machine with minion credentials. At least that was the case I found quickly to be valid with respect to the role model.
Find attached a short write-up describing a little bit more on the exploitation steps.

The referenced write-up is included as a PDF attachment.

Environment

DockerHub image

Acceptance / Success Criteria

None

Attachments

1

Lucidchart Diagrams

Activity

Show:

Jeff Jancula January 18, 2022 at 7:45 PM

Changed to security-high label to match CVE

Benjamin Reed May 11, 2020 at 3:54 PM

This vulnerability was assigned a CVE: CVE-2020-12760

Jeff Gehlbach April 30, 2020 at 9:31 PM

tagging you here since we opened up the issue visibility after shipping releases that incorporate the fix. Thanks for disclosing with us

Jesse White April 20, 2020 at 8:14 PM

Jesse White April 20, 2020 at 8:12 PM
Edited

This was added when we upgraded ActiveMQ in 20.0.0 () and partially removed in 21.0.0 (), but we omitted to remove the trustAllPackages property.

Fixed

Details

Assignee

Reporter

Labels

Components

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created April 17, 2020 at 7:42 PM
Updated January 18, 2022 at 7:45 PM
Resolved April 21, 2020 at 12:09 AM