CVE-2016-3088
Published: 01 June 2016
Summary
CVE-2016-3088 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Apache Activemq. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2016-3088 is an unrestricted file upload flaw (CWE-434) in the Fileserver web application component of Apache ActiveMQ 5.x releases prior to 5.14.0. It enables remote attackers to place arbitrary files on the server by issuing an HTTP PUT request followed by an HTTP MOVE request. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated attackers with network access to the ActiveMQ Fileserver endpoint can exploit the issue to upload executable content and subsequently invoke it, resulting in full control over confidentiality, integrity, and availability of the affected broker and host system.
Public advisories, including the Apache ActiveMQ security announcement and the corresponding Red Hat erratum, direct users to upgrade to version 5.14.0 or later to eliminate the vulnerable Fileserver behavior. Additional vendor tracking entries from SecurityTracker and Zero Day Initiative reference the same remediation path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-5255
Vulnerability details
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization checks on the ActiveMQ Fileserver endpoint so that unauthenticated PUT and MOVE requests are rejected before arbitrary files can be uploaded or executed.
Requires validation of all input (including file names, content types, and destinations) to block the unrestricted file-upload sequence that defines CVE-2016-3088.
Disables or removes the vulnerable Fileserver web application component entirely, eliminating the attack surface that the PUT/MOVE flaw exploits.