CVE-2022-41678: 
Java vulnerability analysis and mitigation

CVE-2022-41678 is a deserialization vulnerability in Apache ActiveMQ's Jolokia component that affects versions before 5.16.6 and 5.17.0 before 5.17.4. The vulnerability was disclosed in November 2023 and allows authenticated users to potentially trigger arbitrary code execution. The affected systems include Apache ActiveMQ configurations where Jolokia is enabled (Apache Advisory, NVD).

The vulnerability exists in ActiveMQ configurations where Jetty allows org.jolokia.http.AgentServlet to handle requests to /api/jolokia. The exploitation chain involves org.jolokia.http.HttpRequestHandler#handlePostRequest creating JmxRequest through JSONObject and calling org.jolokia.http.HttpRequestHandler#executeRequest. Through deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through reflection. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to Remote Code Execution (RCE) through various mbeans, particularly via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. The attack can result in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The primary mitigation is to upgrade to Apache ActiveMQ versions 5.16.6, 5.17.4, 5.18.0, or 6.0.0 which include a more restrictive Jolokia configuration by default. Alternatively, organizations can restrict the actions authorized on Jolokia or disable Jolokia entirely (Apache Advisory).