Package: activemq
Version: 5.6.0+dfsg-1

It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service 
listening on all network interfaces and allowing for unauthenticated access.

Achieving system command execution is as simple as querying JMX for the RMI 
registry endpoint port number, setting up a local proxy, deploying and 
executing a malicious managed bean as outlined in this blog post[1].

It may be worth revising the way you ship ActiveMQ and eventually consider 
limiting JMX access to localhost.

The commands below bring up ActiveMQ using the default configuration.

$ sudo ln -s /etc/activemq/instances-available/main 
/etc/activemq/instances-enabled/main
$ sudo /etc/init.d/activemq start
 * Starting ActiveMQ instance  activemq        [ OK ]
$

[1] http://www.accuvant.com/blog/exploiting-jmx-rmi

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to