How to remediate – Apache ActiveMQ Web Console Default Credentials

Contents

1. Introduction

Apache ActiveMQ Web Console Default Credentials allows unauthenticated access to a web application console used for managing Apache ActiveMQ brokers. This poses a high risk as attackers can gain control of message queues, potentially leading to data breaches, service disruption, and remote code execution. Systems running the ActiveMQ Web Console without proper authentication are affected. A successful exploit could compromise confidentiality, integrity, and availability of messaging services.

2. Technical Explanation

The vulnerability stems from default credentials being used to protect the ActiveMQ Web Console administrative interface. Prior to version 5.4.0, no authentication was required. From 5.4.0 onwards, HTTP Basic Authentication became an option and is enabled by default in version 5.8.0. An attacker can exploit this by directly accessing the web console with the default credentials.

Root cause: Use of default credentials without enforced authentication or weak default configuration.
Exploit mechanism: An attacker sends HTTP requests to the ActiveMQ Web Console using the default username and password, gaining administrative access. For example, accessing the console with a web browser or tool like curl.
Scope: Apache ActiveMQ versions prior to 5.4.0, and versions 5.4.0 – 5.8.0 with default configuration.

3. Detection and Assessment

You can confirm vulnerability by checking the version of ActiveMQ running and verifying if authentication is enabled on the web console.

Quick checks: Use the following command to check the ActiveMQ version: activemq --version
Scanning: Nessus plugin ID 16829 can detect this vulnerability. OpenVAS also has relevant scans, but results may vary.
Logs and evidence: Check web server logs for access attempts to the ActiveMQ Web Console without authentication or with default credentials. Look for successful logins from unexpected IP addresses.

activemq --version

4. Solution / Remediation Steps

Restrict access to the ActiveMQ Web Console, change the default login credentials, or disable the console if it is not required.

4.1 Preparation

Consider a change window and approval from system owners, especially in production environments.

4.2 Implementation

Step 1: Restrict access to the Web Console using firewall rules or network segmentation. Only allow trusted IP addresses to connect.
Step 2: Change the default credentials by modifying the activemq.xml configuration file. Locate the admin user section and update the username and password.
Step 3: Restart the ActiveMQ service for changes to take effect.

4.3 Config or Code Example

Before

<adminUser username="admin" password="admin"/>

After

<adminUser username="new_username" password="strong_password"/>

4.4 Security Practices Relevant to This Vulnerability

Implementing least privilege and secure defaults are key practices for mitigating this vulnerability type.

Practice 1: Least privilege – limit access to sensitive interfaces like the Web Console to only authorized personnel.
Practice 2: Secure defaults – avoid using default credentials and enforce strong password policies.

4.5 Automation (Optional)

Ansible can be used to update the ActiveMQ configuration file automatically, but requires careful testing.

---
- name: Change ActiveMQ admin password
  hosts: activemq_servers
  tasks:
    - replace:
        path: /opt/activemq/conf/activemq.xml # Adjust path as needed
        regexp: 'username="admin" password="admin"'
        replace: 'username="new_username" password="strong_password"'
      notify: Restart ActiveMQ
  handlers:
    - name: Restart ActiveMQ
      service:
        name: activemq
        state: restarted

5. Verification / Validation

Confirm the fix by verifying that access to the Web Console with default credentials is no longer possible and that new credentials are required.

Post-fix check: Attempt to log in to the ActiveMQ Web Console using the original default username and password; authentication should fail.
Re-test: Re-run the version check (activemq --version) and verify that access is restricted or requires new credentials.
Smoke test: Verify that authorized users can still log in to the Web Console with the updated credentials and perform basic administrative tasks.
Monitoring: Monitor web server logs for failed login attempts using default credentials, indicating potential brute-force attacks.

Attempt to access the console with 'admin/admin' - should fail.

6. Preventive Measures and Monitoring

Regular security baselines and vulnerability scanning can help prevent this issue.

Baselines: Update your security baseline or policy to include requirements for strong passwords and restricted access to administrative interfaces like the ActiveMQ Web Console.
Pipelines: Integrate SAST tools into your CI/CD pipeline to identify hardcoded credentials in configuration files.
Asset and patch process: Implement a regular patch cycle for Apache ActiveMQ to ensure you are running the latest security updates.

7. Risks, Side Effects, and Roll Back

Changing the default credentials could disrupt existing integrations that rely on them. Incorrect configuration changes can prevent ActiveMQ from starting.

Risk or side effect 2: Configuration errors preventing ActiveMQ from starting; carefully review configuration files and test changes in a non-production environment first.
Roll back: Restore the original activemq.xml configuration file and restart the ActiveMQ service.

8. References and Resources

Vendor advisory or bulletin: http://activemq.apache.org/web-console.html
NVD or CVE entry: No specific CVE is listed, but the issue is documented in security advisories related to default credentials.
Product or platform documentation relevant to the fix: http://activemq.apache.org/getting-started.html

Updated on October 26, 2025

Was this article helpful?

Yes No