¡¾Â©¶´Í¨¸æ¡¿Apache ActiveMQÔ¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2026-42588)

·¢²¼Ê±¼ä 2026-06-02

Ò»¡¢Â©¶´¸ÅÊö



0602©¶´¸ÅÊö.png


Apache ActiveMQÊÇÒ»¿îÓÉApacheÈí¼þ»ù½ð»á¿ª·¢µÄ¿ªÔ´ÏûÏ¢Öмä¼þ£¬Ö§³ÖJMS¡¢AMQP¡¢MQTT¡¢STOMPµÈ¶àÖÖÏûϢЭÒé  ¡£ËüÓÃÓÚ¹¹½¨¸ß¿É¿¿µÄÒì²½ÏûÏ¢´«µÝϵͳ£¬ÊµÏÖÓ¦ÓüäµÄ½âñîÓëÒ첽ͨÐÅ£¬¹ã·ºÓ¦ÓÃÓÚÆóÒµ¼¶ÏûÏ¢¶ÓÁС¢·Ö²¼Ê½ÏµÍ³Óë΢·þÎñ¼Ü¹¹ÖÐ  ¡£

 

2026Äê6ÔÂ2ÈÕ£¬mansion88Ã÷Éý°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache ActiveMQÔ¶³Ì´úÂëÖ´ÐЩ¶´  ¡£¸Ã©¶´Ô´ÓÚWeb ConsoleĬÈϱ©Â¶µÄ/api/jolokia/JMX-HTTPÇŽӽӿڶÔÊäÈë²ÎÊýУÑé²»×㣬ÇÒĬÈÏJolokia·ÃÎʲßÂÔÔÊÐíµ÷ÓÃorg.apache.activemq:*Ïà¹ØMBeanµÄexec²Ù×÷  ¡£¾­¹ýÉí·ÝÈÏÖ¤µÄ¹¥»÷Õß¿Éͨ¹ý¹¹Ôì¶ñÒâmasterslave://·¢ÏÖURI£¬´¥·¢VM TransportÖеÄbrokerConfig²ÎÊý¼ÓÔØSpring ResourceXmlApplicationContext£¬´Ó¶øÔÚBrokerServiceÍê³ÉÅäÖÃУÑéǰʵÀý»¯¶ñÒâBean²¢Ö´ÐÐRuntime.exec()µÈ·½·¨£¬×îÖÕÔÚBroker JVMÖÐʵÏÖÔ¶³Ì´úÂëÖ´ÐÐ  ¡£¹¥»÷Õ߳ɹ¦ÀûÓúó¿É½øÒ»²½¿ØÖÆÏûÏ¢·þÎñ¡¢ÇÔȡҵÎñÊý¾Ý»òºáÏòÉøÍ¸ÄÚ²¿ÏµÍ³  ¡£

 


¶þ¡¢Ó°Ï췶Χ



Apache ActiveMQ Broker < 5.19.7

6.0.0 <= Apache ActiveMQ Broker < 6.2.6

Apache ActiveMQ All < 5.19.7

6.0.0 <= Apache ActiveMQ All < 6.2.6

Apache ActiveMQ < 5.19.7

6.0.0 <= Apache ActiveMQ < 6.2.6



Èý¡¢°²È«´ëÊ©



3.1 Éý¼¶°æ±¾


¹Ù·½ÒÑ·¢²¼ÐÞ¸´²¹¶¡£¬ÒÔÐÞ¸´¸Ã©¶´  ¡£

Apache ActiveMQ Broker >= 5.19.7

Apache ActiveMQ All >= 5.19.7

Apache ActiveMQ >= 5.19.7

»òÉý¼¶ÖÁ£º

Apache ActiveMQ Broker >= 6.2.6

Apache ActiveMQ All >= 6.2.6

Apache ActiveMQ >= 6.2.6

ÏÂÔØÁ´½Ó£º

https://activemq.apache.org/


3.2 ÁÙʱ´ëÊ©


ÔÝÎÞ  ¡£


3.3 ͨÓý¨Òé


¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬¼õÉÙϵͳ©¶´£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ  ¡£

¼ÓǿϵͳºÍÍøÂçµÄ·ÃÎÊ¿ØÖÆ£¬Ð޸ķÀ»ðǽ²ßÂÔ£¬¹Ø±Õ·Ç±ØÒªµÄÓ¦Óö˿ڻò·þÎñ£¬¼õÉÙ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©±©Â¶µ½¹«Íø£¬¼õÉÙ¹¥»÷Ãæ  ¡£

ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫÐÔÄÜ  ¡£

¼ÓǿϵͳÓû§ºÍȨÏÞ¹ÜÀí£¬ÆôÓöàÒòËØÈÏÖ¤»úÖÆºÍ×îСȨÏÞÔ­Ôò£¬Óû§ºÍÈí¼þȨÏÞÓ¦±£³ÖÔÚ×îµÍÏÞ¶È  ¡£

ÆôÓÃÇ¿ÃÜÂë²ßÂÔ²¢ÉèÖÃΪ¶¨ÆÚÐÞ¸Ä  ¡£


3.4 ²Î¿¼Á´½Ó


https://nvd.nist.gov/vuln/detail/CVE-2026-42588/

https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm