Description
Apache ActiveMQ exposes a Jolokia JMX-over-HTTP API at /api/jolokia/. An authenticated attacker can invoke the addNetworkConnector() MBean operation with a crafted URI that causes the broker to fetch a remote Spring XML configuration over HTTP. The Spring XML instantiates a ProcessBuilder bean that executes attacker-supplied OS commands.
Default credentials (admin:admin) are accepted by many installations.
Verified on docker image
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/apache_activemq_jolokia_rcemsf undefined(apache_activemq_jolokia_rce) > show actions ...actions...msf undefined(apache_activemq_jolokia_rce) > set ACTION < action-name >msf undefined(apache_activemq_jolokia_rce) > show options ...show and set options...msf undefined(apache_activemq_jolokia_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub