Apache ActiveMQ default administrative credentials
Description
Apache ActiveMQ is deployed with default administrative credentials (username: admin, password: admin) that provide access to the Administration Console. These credentials are publicly documented and widely known, making systems using default configurations vulnerable to unauthorized access. If these credentials have not been changed from their default values, attackers can gain administrative control over the message broker.
Remediation
Immediately change the default administrative credentials for Apache ActiveMQ by following these steps:<br/><br/>1. Navigate to the ActiveMQ configuration directory and locate the file <strong>apache-activemq-x.x.x/conf/jetty-realm.properties</strong><br/>2. Edit the file and modify the admin user entry to use a strong, unique password:<br/><pre>admin: new_strong_password, admin</pre><br/>3. Consider changing the default username as well for additional security:<br/><pre>custom_admin_user: strong_password, admin</pre><br/>4. Ensure the password meets complexity requirements (minimum 12 characters, including uppercase, lowercase, numbers, and special characters)<br/>5. Restart the ActiveMQ service for changes to take effect<br/>6. Additionally, consider implementing IP-based access restrictions to the Administration Console and using HTTPS for all administrative access