好的,我现在需要帮用户总结一篇关于Apache ActiveMQ Classic代码注入漏洞的文章,控制在100字以内。首先,我要仔细阅读文章内容,抓住关键点。 文章主要讲的是一个认证的远程代码执行漏洞,存在于Jolokia JMX-HTTP桥接器中,通过Web控制台暴露。影响版本包括5.19.4之前的5.x和6.x版本。攻击者可以通过构造URI,导致broker加载恶意Spring XML配置,进而执行任意代码。 接下来,漏洞是由Horizon3.ai发现的,存在了十多年,是多个合法功能交互的结果。另外,在某些版本中,Jolokia不需要认证,攻击者可以无需凭证利用漏洞。 技术细节部分提到CVE-2026-34197,涉及BrokerService的方法接受URI输入。攻击者使用xbean协议构造URI,导致ActiveMQ加载远程配置。修复方法是升级到5.19.4或6.2.3及以上版本,并限制控制台和Jolokia的访问。 最后是时间线和参考链接。 现在要将这些信息浓缩到100字以内。重点包括:漏洞类型、影响版本、攻击方式、利用条件、修复措施等。 可能的结构:Apache ActiveMQ Classic存在认证远程代码注入漏洞(CVE-2026-34197),影响5.x和6.x旧版本。攻击者通过构造URI利用Jolokia桥接器加载恶意配置,执行任意代码。修复建议升级到指定版本并限制访问。 </think> Apache ActiveMQ Classic 存在认证远程代码注入漏洞(CVE-2026-34197),影响 5.x 和 6.x 旧版本。攻击者通过构造 URI 利用 Jolokia 桥接器加载恶意 Spring XML 配置,执行任意代码。修复建议升级到 5.19.4 或 6.2.3 及以上版本,并限制 Web 控制台和 Jolokia 端点访问以降低风险。 2026-4-7 19:30:58 Author: horizon3.ai(查看原文) 阅读量:32 收藏
Apache ActiveMQ Classic Code Injection
Apache ActiveMQ Classic contains an authenticated remote code execution vulnerability in its Jolokia JMX-HTTP bridge exposed through the web console. The issue affects Apache ActiveMQ Broker before 5.19.4 and from 6.0.0 before 6.2.3. An authenticated attacker can supply a crafted URI to broker management operations, causing the broker to load a malicious remote Spring XML configuration and execute arbitrary code within the JVM.
This vulnerability was discovered by Horizon3.ai and reflects a deeper issue that has effectively existed for over a decade, emerging from the interaction of multiple legitimate features rather than a single coding flaw.
On affected versions where Jolokia is exposed without authentication (CVE-2024-32114), this vulnerability can be exploited without credentials, enabling unauthenticated remote code execution.
Technical Details
CVE-2026-34197 is an authenticated code injection vulnerability in Apache ActiveMQ Classic’s exposure of the Jolokia JMX-HTTP bridge at /api/jolokia/.
The Jolokia endpoint allows execution of MBean operations. By default, it permits exec access to ActiveMQ MBeans, including:
BrokerService.addNetworkConnector(String)BrokerService.addConnector(String)
These operations accept a URI as input. An attacker can supply a crafted URI using the xbean: protocol, which causes ActiveMQ to load a remote Spring XML application context.
This exposure stems from prior hardening changes that restricted Jolokia access broadly while allowing unrestricted operations on ActiveMQ MBeans, unintentionally exposing dangerous functionality.
Stop Guessing, Start Proving
The exploit chain works as follows:
- The attacker invokes
addNetworkConnectorthrough Jolokia - A crafted
vm://URI is supplied withbrokerConfig=xbean:http://... - ActiveMQ attempts to create a broker using the attacker-controlled configuration
- Spring loads the remote XML and instantiates beans
- Malicious beans invoke Java methods such as
Runtime.exec()
The result is arbitrary code execution as the ActiveMQ service user.
This vulnerability becomes significantly more dangerous when combined with:
- Weak or default web console credentials (commonly
admin:admin) - Exposed Jolokia endpoints
- CVE-2024-32114, which removes authentication requirements entirely on some versions
An attacker who reaches the web console can move directly to code execution and full host compromise.
NodeZero® Proactive Security Platform — Rapid Response
A Rapid Response test for CVE-2026-34197 enables organizations to quickly validate whether their Apache ActiveMQ Classic environment is actually exploitable.
- Run the Rapid Response test: Launch the test from the NodeZero platform to determine whether an attacker can execute this path in your environment
- Patch immediately: Upgrade to fixed versions and restrict exposure of the web console and Jolokia endpoints
- Re-run the Rapid Response test: Validate that remediation actions have eliminated the exploit path
Version checks don’t tell you if you’re exposed. This test does.
Indicators of Compromise
At the time of publication, no vendor-provided indicators of compromise have been released. However, exploitation leaves clear and high-signal traces.
| Indicator | Type | Description |
/api/jolokia/ requests | HTTP activity | Suspicious POST requests invoking exec operations on ActiveMQ MBeans |
addNetworkConnector usage | Application behavior | Invocation with unexpected or external URIs |
vm://...brokerConfig=xbean:http:// | Log artifact | Strong indicator of exploitation attempt loading remote Spring XML |
| Outbound HTTP requests | Network activity | Connections from the broker to attacker-controlled infrastructure |
| Unexpected process execution | Host behavior | Child processes spawned by the ActiveMQ Java process |
Note: Code execution occurs during the connection attempt. Error or failure messages in logs may appear after the payload has already executed.
Affected versions & patch
Affected:
- Apache ActiveMQ Broker before 5.19.4
- Apache ActiveMQ Broker from 6.0.0 before 6.2.3
- Apache ActiveMQ
activemq-allbefore 5.19.4 - Apache ActiveMQ
activemq-allfrom 6.0.0 before 6.2.3
Patch:
- Upgrade to Apache ActiveMQ Classic 5.19.4 or 6.2.3 or later
The patch removes the ability for addNetworkConnector to instantiate vm:// transports, eliminating the code execution path.
Interim mitigation:
- Restrict access to the ActiveMQ web console to trusted networks only
- Disable or tightly control access to the Jolokia JMX-HTTP bridge
- Remove default credentials and enforce strong authentication
- Limit which users can invoke broker management operations
Timeline
- March 22, 2026: Horizon3.ai reports the vulnerability to Apache
- March 26, 2026: Apache ActiveMQ team acknowledges the report and assigns CVE-2026-34197
- March 30, 2026: Apache releases ActiveMQ Classic version 6.2.3 with a fix
- April 6, 2026: Apache publishes the security advisory for CVE-2026-34197
- April 7, 2026: CVE-2026-34197 is publicly published
References
- Apache ActiveMQ Advisory (CVE-2026-34197)
https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt - CVE Record for CVE-2026-34197
https://www.cve.org/CVERecord?id=CVE-2026-34197
如有侵权请联系:admin#unsafe.sh