CVE-2023-50780: 
Java vulnerability analysis and mitigation

Apache ActiveMQ Artemis, before version 2.29.0, contained a vulnerability that exposed diagnostic information and controls through MBeans via the authenticated Jolokia endpoint. The vulnerability, identified as CVE-2023-50780, specifically included unauthorized exposure of the Log4J2 MBean, which was not intended for non-administrative users. This security flaw was discovered by Matei "Mal" Badanoiu and has been assigned a CVSS v3.1 base score of 8.8 (HIGH) (NVD, Red Hat).

The vulnerability stems from improper authorization (CWE-285) in the MBean exposure mechanism. The authenticated Jolokia endpoint provided access to diagnostic controls including the Log4J2 MBean, which should have been restricted to administrative users only. The vulnerability received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and potentially achieve Remote Code Execution (RCE). While the vulnerability is rated as Important rather than Critical, it poses significant risks as successful exploitation could lead to system compromise. However, the attack requires valid credentials to access the Jolokia endpoint, which limits the scope to scenarios involving already-compromised accounts or insider threats (Red Hat).

Users are strongly recommended to upgrade to Apache ActiveMQ Artemis version 2.29.0 or later, which contains the fix for this vulnerability. No alternative mitigations are currently available that meet Red Hat Product Security criteria for ease of use, deployment, and stability (Red Hat).