Vulnerability Description
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Activemq | < 5.15.12 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0, <= 8.2.2 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.Vendor Advisory
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737
- https://lists.debian.org/debian-lts-announce/2020/10/msg00013.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.Vendor Advisory
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737
- https://lists.debian.org/debian-lts-announce/2020/10/msg00013.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
FAQ
What is CVE-2020-13920?
CVE-2020-13920 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and cal...
How severe is CVE-2020-13920?
CVE-2020-13920 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13920?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq, Oracle Communications Diameter Signaling Router, Oracle Flexcube Private Banking, Debian Debian Linux.