PT-2026-45373 · Apache · Activemq
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Apache ActiveMQ Broker versions prior to 5.19.7
Apache ActiveMQ Broker versions 6.0.0 through 6.2.5
Apache ActiveMQ All versions prior to 5.19.7
Apache ActiveMQ All versions 6.0.0 through 6.2.5
Apache ActiveMQ versions prior to 5.19.7
Apache ActiveMQ versions 6.0.0 through 6.2.5
Description
Improper input validation and improper control of code generation lead to a code injection issue. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at the '/api/jolokia/' endpoint on the web console. The default access policy allows execution operations on all ActiveMQ MBeans, specifically the
addNetworkConnector(String) function within BrokerService. An authenticated attacker can use a crafted discovery URI to trigger the brokerConfig parameter of the VM transport via a "masterslave://" URL. This allows the loading of a Spring XML application context using ResourceXmlApplicationContext. Since this context instantiates singleton beans before the configuration is validated, arbitrary code can be executed on the broker's JVM through bean factory methods such as Runtime.exec().Recommendations
Upgrade Apache ActiveMQ Broker to version 5.19.7 or 6.2.6.
Upgrade Apache ActiveMQ All to version 5.19.7 or 6.2.6.
Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6.
Exploit
Fix
DoS
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Activemq