Missing Authorization Affecting io.antmedia:ant-media-server package, versions [2.6.0,2.9.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-IOANTMEDIA-6672885
- published 24 Apr 2024
- disclosed 22 Apr 2024
- credit Adam Crosser
Introduced: 22 Apr 2024
New CVE-2024-32656 Open this link in a new tabHow to fix?
Upgrade io.antmedia:ant-media-server
to version 2.9.0 or higher.
Overview
io.antmedia:ant-media-server is a media server supporting RTMP, RTSP, WebRTC and Adaptive Bitrate.
Affected versions of this package are vulnerable to Missing Authorization allowing an unprivileged operating system user to connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. Exploiting this vulnerability allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the “antmedia” service account on the system.
Note
Exploiting this vulnerability is possible when Ant Media Server is running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP.
Workaround
This vulnerability can be mitigated by removing the following parameters from the service file:
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=5599 -Dcom.sun.management.jmxremote.local.only=true -Dcom.sun.management.jmxremote.host=127.0.0.1 -Djava.rmi.server.hostname=127.0.0.1 -Djava.rmi.server.useLocalHostname=true -Dcom.sun.management.jmxremote.rmi.port=5599