Honglonglong@Threatbook.Cn

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions prior to 5.16.6 Apache ActiveMQ versions prior to 5.17.4 Apache ActiveMQ versions prior to 5.18.0 Apache ActiveMQ versions prior to 6.0.0 **Description** An authentication flaw in the Jolokia component allows an authenticated user to trigger arbitrary code execution. In ActiveMQ configurations, the Jetty server allows `org.jolokia.http.AgentServlet` to handle requests to the '/api/jolokia' endpoint. The `handlePostRequest()` function in `org.jolokia.http.HttpRequestHandler` can create a `JmxRequest` via `JSONObject` and call `executeRequest()`. Further in the call stack, `doHandleRequest()` in `org.jolokia.handler.ExecHandler` can be invoked through reflection. This can lead to remote code execution via various MBeans, such as unrestricted deserialization in `jdk.management.jfr.FlightRecorderMXBeanImpl` on Java versions above 11. The exploitation process involves calling `newRecording()`, `setConfiguration()` to hide webshell data, `startRecording()`, and the `copyTo` method to write the webshell to a .jsp file. **Recommendations** Update to Apache ActiveMQ versions 5.16.6, 5.17.4, 5.18.0, or 6.0.0 to apply a more restrictive Jolokia configuration. Disable Jolokia or restrict the authorized actions within Jolokia to minimize the risk of exploitation.