Fatih Ersinadim

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache ActiveMQ All versions 6.0.0 through 6.2.4 Apache ActiveMQ versions prior to 5.19.6 Apache ActiveMQ versions 6.0.0 through 6.2.4 **Description** Improper input validation and improper control of code generation allow an authenticated attacker to achieve remote code execution on the broker's JVM. If the `activemq-http` module is on the classpath, an attacker can use Jolokia to add a connector via `BrokerView.addNetworkConnector()` or `BrokerView.addConnector()` using an HTTP Discovery transport. A malicious HTTP endpoint can return a VM transport through the HTTP URI, bypassing existing validations. The attacker can then utilize the `brokerConfig` parameter of the VM transport to load a remote Spring XML application context via `ResourceXmlApplicationContext`. Since `ResourceXmlApplicationContext` instantiates all singleton beans before the `BrokerService` validates the configuration, arbitrary code can be executed through bean factory methods such as `Runtime.exec()`. **Recommendations** Upgrade Apache ActiveMQ Broker versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 to version 6.2.5. Upgrade Apache ActiveMQ All versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ All versions 6.0.0 through 6.2.4 to version 6.2.5. Upgrade Apache ActiveMQ versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ versions 6.0.0 through 6.2.4 to version 6.2.5.