Share
## https://sploitus.com/exploit?id=0EB06AF4-CFA4-5311-9994-15760AF8992B
# CVE-2026-34197 ActiveMQ Classic Security Detection Tool

This tool is designed for defensive and internal network troubleshooting purposes, targeting the Apache ActiveMQ Classic exposure surface. It helps assess risks related to CVE-2026-34197. This project does not contain exploit code; it does not execute Jolokia `exec`, create connectors, load remote XMLs, or modify the Broker state. The tool only performs read-only HTTP scans and optional local configuration checks, making it suitable for security inspections in authorized internal environments.

## Detection Approach

The tool does not rely solely on version numbers but combines multiple criteria:

- Whether the ActiveMQ Classic version is within the affected range;
- Whether `/api/jolokia/version` is accessible;
- Whether Jolokia requires authentication;
- Whether ActiveMQ MBean metadata can be read via Jolokia;
- Whether the metadata contains operation names that could potentially change the Broker’s state;
- Whether local configurations include risk indicators such as overly broad Jolokia access policies, disabled authentication, or overly broad bindings. These checks are read-only actions aimed at helping determine the exposure surface and prioritize mitigation measures.

## Usage

**Check Version:**

```bash
python3 activemq_cve_2026_34197_checker.py --version 5.18.3
```

**Check Jolokia Exposure Surface:**

```bash
python3 activemq_cve_2026_34197_checker.py --url http://127.0.0.1:8161
```

**Check with Authentication:**

```bash
python3 activemq_cve_2026_34197_checker.py \
  --url http://127.0.0.1:8161 \
  --username admin \
  --password admin
```

**Scan Local Configuration Directory:**

```bash
python3 activemq_cve_2026_34197_checker.py --config-path /opt/activemq/conf
```

**Combined Check:**

```bash
python3 activemq_cve_2026_34197_checker.py \
  --version 5.18.3 \
  --url http://127.0.0.1:8161 \
  --config-path /opt/activemq/conf
```

## Output Explanation

The tool outputs in JSON format, with key fields including:

- `version`: Version input and risk assessment;
- `jolokia`: Read-only Jolokia detection results;
- `config_path`: Local configuration scan path;
- `findings`: Identified risks, their levels, causes, and evidence;
- `remediation`: Recommendations for fixes and improvements. Common risk signals include:

- Unauthorized access to Jolokia interfaces;
- Enumeration of ActiveMQ MBean metadata;
- Operations in Jolokia metadata that could potentially change the Broker’s state;
- Overly broad `jolokia-access.xml` policies;
- Configurations with disabled authentication;
- Jolokia-related services bound to wide addresses.

## Fix Recommendations

It is recommended to upgrade Apache ActiveMQ Classic to a fixed version first:

- `5.19.4` or later;
- `6.2.3` or later. Additionally, consider the following recommendations:

- Restrict `/api/jolokia/` and Web Console access from trusted management networks;
- Review `jolokia-access.xml` to prohibit broad `exec` and sensitive MBean operations;
- Avoid using the default username and password;
- If exploitation is suspected, rotate Broker-related credentials and audit access logs;
- Implement access control for management interfaces on boundary proxies or WAFs.

## Security Boundaries

This tool is neither an exploit nor a vulnerability trigger. It does not:

- Call Jolokia `exec`;
- Create, update, or delete connectors;
- Have ActiveMQ load remote configurations;
- Write Broker configurations;
- Execute system commands. It is suitable as a tool for internal security inspections, exposure surface verification, and hardening assessments.

## Reference Links

- Apache ActiveMQ Security Announcements: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34197