¡¾·ì϶¹«¸æ¡¿Apache ActiveMQÔ¶³Ì´úÂëÖ´Ðзì϶(CVE-2026-42588)
°ä²¼¹¦·ò 2026-06-02Ò»¡¢·ì϶¸ÅÊö

Apache ActiveMQÊÇÒ»¿îÓÉApacheÈí¼þ»ù½ð»á¿ª·¢µÄ¿ªÔ´ÐÂÎÅÖÐÑë¼þ£¬Ö§³ÖJMS¡¢AMQP¡¢MQTT¡¢STOMPµÈ¶àÖÖÐÂÎźÍ̸¡£ËüÓÃÓÚ¹¹½¨¸ß¿¿µÃסµÄÒì²½ÐÂÎÅ´«µÝϵͳ£¬ÊµÏÖÀûÓüäµÄ½âñîÓëÒ첽ͨѶ£¬¿í·ºÀûÓÃÓÚÆóÒµ¼¶ÐÂÎŶÓÁÓעɢ²¼Ê½ÏµÍ³Óë΢·þÎñ¼Ü¹¹ÖС£
2026Äê6ÔÂ2ÈÕ£¬28Ȧ°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache ActiveMQÔ¶³Ì´úÂëÖ´Ðзì϶¡£¸Ã·ì϶ԴÓÚWeb ConsoleĬÈ϶³öµÄ/api/jolokia/JMX-HTTPÇŽӽӿڶÔÊäÈë²ÎÊýУÑé²»¼°£¬ÇÒĬÈÏJolokia½Ó¼ûÕ½ÊõÔÊÐíŲÓÃorg.apache.activemq:*ÓйØMBeanµÄexec²Ù×÷¡£¾¹ýÉí·ÝÈÏÖ¤µÄ¹¥»÷Õß¿Éͨ¹ý»ú¹Ø¶ñÒâmasterslave://·¢ÏÖURI£¬´¥·¢VM TransportÖеÄbrokerConfig²ÎÊý¼ÓÔØSpring ResourceXmlApplicationContext£¬´Ó¶øÔÚBrokerServiceʵÏÖÅäÖÃУÑéǰÊ·ý»¯¶ñÒâBean²¢Ö´ÐÐRuntime.exec()µÈ²½Ö裬×îÖÕÔÚBroker JVMÖÐʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¹¥»÷Õ߳ɹ¦ÀûÓúó¿É½øÒ»²½½ÚÔìÐÂÎÅ·þÎñ¡¢ÇÔȡҵÎñÊý¾Ý»òºáÏòÉøÈëÄÚ²¿ÏµÍ³¡£
¶þ¡¢Ó°ÏìÁìÓò
Apache ActiveMQ Broker < 5.19.7
6.0.0 <= Apache ActiveMQ Broker < 6.2.6
Apache ActiveMQ All < 5.19.7
6.0.0 <= Apache ActiveMQ All < 6.2.6
Apache ActiveMQ < 5.19.7
6.0.0 <= Apache ActiveMQ < 6.2.6
Èý¡¢°²È«´ëÊ©
3.1 Éý¼¶°æ±¾
¹Ù·½ÒѰ䲼½¨¸´²¹¶¡£¬ÒÔ½¨¸´¸Ã·ì϶¡£
Apache ActiveMQ Broker >= 5.19.7
Apache ActiveMQ All >= 5.19.7
Apache ActiveMQ >= 5.19.7
»òÉý¼¶ÖÁ£º
Apache ActiveMQ Broker >= 6.2.6
Apache ActiveMQ All >= 6.2.6
Apache ActiveMQ >= 6.2.6
ÏÂÔØÁ´½Ó£º
https://activemq.apache.org/
3.2 һʱ´ëÊ©
ÔÝÎÞ¡£
3.3 ͨÓý¨Òé
¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬Ï÷¼õϵͳ·ì϶£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£
¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔ죬Åú¸Ä·À»ðǽսÊõ£¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ£¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø£¬Ï÷¼õ¹¥»÷Ãæ¡£
ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£
¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò£¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£
ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£
3.4 ²Î¿¼Á´½Ó
https://nvd.nist.gov/vuln/detail/CVE-2026-42588/
https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm


¾©¹«Íø°²±¸11010802024551ºÅ