Search Results (3)

Java Management Extensions (JMX) are indispensable for managing and administrating Java software solutions, yet when exposed through HTTP bridges such as Jolokia they can radically enlarge an application’s attack surface. This paper presents the first in-depth analysis of CVE-2022-41678, a vulnerability discovered by the authors in Apache ActiveMQ that combines Jolokia’s remote JMX access with Log4J2 management beans to achieve full remote code execution. Using a default installation testbed, we enumerate the Log4J MBeans surfaced by Jolokia, demonstrate arbitrary file read, file write, and server-side request–forgery primitives, and finally to leverage the file write capabilities to obtain a shell, all via authenticated HTTP(S) requests only. The end-to-end exploit chain requires no deserialization gadgets and is unaffected by prior Log4Shell mitigations. We have also automated the entire exploit process via proof-of-concept scripts on a stock ActiveMQ 5.17.1 instance. We discuss the broader security implications for any software exposing JMX-managed or Jolokia-managed Log4J contexts, provide concrete hardening guidelines, and outline design directions for safer remote-management stacks. The findings underscore that even “benign” management beans can become critical when surfaced through ubiquitous HTTP management gateways. Full article

Message queues are a way for different software components or applications to communicate with each other asynchronously by passing messages through a shared buffer. This allows a sender to send a message without needing to wait for an immediate response from the receiver, which can help to improve the system’s performance, reduce latency, and allow components to operate independently. In this paper, we compared and evaluated the performance of four popular message queues: Redis, ActiveMQ Artemis, RabbitMQ, and Apache Kafka. The aim of this study was to provide insights into the strengths and weaknesses of each technology and to help practitioners choose the most appropriate solution for their use case. We primarily evaluated each technology in terms of latency and throughput. Our experiments were conducted using a diverse array of workloads to test the message queues under various scenarios. This enables practitioners to evaluate the performance of the systems and choose the one that best meets their needs. The results show that each technology has its own pros and cons. Specifically, Redis performed the best in terms of latency, whereas Kafka significantly outperformed the other three technologies in terms of throughput. The optimal choice depends on the specific requirements of the use case. This paper presents valuable insights for practitioners and researchers working with message queues. Furthermore, the results of our experiments are provided in JSON format as a supplement to this paper. Full article

Alongside the modern software development life cycle approaches, software testing has gained more importance and has become an area researched actively within the software engineering discipline. In this study, machine learning and deep learning-related software fault predictions were made through a data set named SFP XP-TDD, which was created using three different developed software projects. A data set of five different classifiers widely used in the literature and their Rotation Forest classifier ensemble versions were trained and tested using this data set. Numerous publications in the literature discussed software fault predictions through ML algorithms addressing solutions to different problems. Some of these articles indicated the usage of feature selection algorithms to improve classification performance, while others reported operating ensemble machine learning algorithms for software fault predictions. Besides, a detailed literature review revealed that there were few studies involving software fault prediction with DL algorithms due to the small sample sizes in the data sets and the low success rates in the tests performed on these datasets. As a result, the major contribution of this research was to statistically demonstrate that DL algorithms outperformed ML algorithms in data sets with large sample values via employing three separate software fault prediction datasets. The experimental outcomes of a model that includes a layer of recurrent neural networks (RNNs) were enclosed within this study. Alongside the aforementioned and generated data sets, the study also utilized the Eclipse and Apache Active MQ data sets in to test the effectiveness of the proposed deep learning method. Full article