Share
## https://sploitus.com/exploit?id=277C9FAC-D6C5-54B4-B126-A668459A56BB
# CVE-2026-34197 - Apache ActiveMQ Jolokia Remote Code Execution (RCE)

CVE-2026-34197 is a high severity Remote Code Execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The issue exists within the Jolokia JMX-HTTP bridge, which exposes management operations over HTTP through the `/api/jolokia/` endpoint.

The default Jolokia access policy permits authenticated users to invoke management operations on ActiveMQ MBeans. Certain broker management methods accept user-controlled discovery URIs. A specially crafted URI can cause ActiveMQ to load a remote Spring XML application context before broker configuration validation occurs.

During initialization, Spring instantiates singleton beans immediately. Since bean initialization occurs prior to ActiveMQ validating the supplied configuration, attacker-controlled bean definitions may execute arbitrary Java code inside the broker's JVM. This can ultimately result in complete compromise of the ActiveMQ process with the privileges of the running service. 

---

## Technical Details

The vulnerability affects the interaction between several components:

- Apache ActiveMQ Classic
- Jolokia JMX-HTTP Bridge
- Java Management Extensions (JMX)
- BrokerService management operations
- Spring Framework's `ResourceXmlApplicationContext`

Normally, administrative operations exposed through Jolokia are intended for broker management. However, certain broker methods accept external configuration references.

Because Spring loads and instantiates beans immediately, malicious bean definitions may execute before ActiveMQ verifies whether the supplied configuration should have been accepted.

This ordering issue creates a code execution primitive despite subsequent validation logic.

---

## Root Cause

The vulnerability results from two security design issues occurring together:

1. Administrative JMX operations exposed through Jolokia accept attacker-controlled input.
2. Spring eagerly instantiates singleton beans before ActiveMQ validates the supplied configuration.

The combination of these behaviors permits execution during application context initialization rather than after configuration validation.

---

## Impact

Successful exploitation may allow an authenticated attacker to:

- Execute arbitrary code within the broker JVM
- Compromise message broker integrity
- Access or manipulate hosted messaging infrastructure
- Potentially pivot further within the environment depending on deployment architecture

---

## Affected Versions

Affected releases include:

| Product | Vulnerable Versions |
|----------|--------------------|
| Apache ActiveMQ Classic | Earlier than 5.19.4 |
| Apache ActiveMQ 6.x | 6.0.0 through 6.2.2 |

Users should upgrade to:

- 5.19.4 or later
- 6.2.3 or later

---

## Mitigation

Apache recommends:

- Upgrade to a patched release.
- Restrict administrative access to the Jolokia endpoint.
- Limit authenticated administrative accounts.
- Monitor for unexpected broker configuration changes.
- Audit access to the ActiveMQ web console.

---