¡¾·ì϶¹«¸æ¡¿Apache ActiveMQÔ¶³Ì´úÂëÖ´Ðзì϶(CVE-2026-42588)

°ä²¼¹¦·ò 2026-06-02

Ò»¡¢·ì϶¸ÅÊö



0602·ì϶¸ÅÊö.png


Apache ActiveMQÊÇÒ»¿îÓÉApacheÈí¼þ»ù½ð»á¿ª·¢µÄ¿ªÔ´ÐÂÎÅÖÐÑë¼þ£¬Ö§³ÖJMS¡¢AMQP¡¢MQTT¡¢STOMPµÈ¶àÖÖÐÂÎźÍ̸¡£ËüÓÃÓÚ¹¹½¨¸ß¿¿µÃסµÄÒì²½ÐÂÎÅ´«µÝϵͳ£¬ÊµÏÖÀûÓüäµÄ½âñîÓëÒ첽ͨѶ£¬¿í·ºÀûÓÃÓÚÆóÒµ¼¶ÐÂÎŶÓÁÓעɢ²¼Ê½ÏµÍ³Óë΢·þÎñ¼Ü¹¹ÖС£

 

2026Äê6ÔÂ2ÈÕ£¬28Ȧ°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache ActiveMQÔ¶³Ì´úÂëÖ´Ðзì϶¡£¸Ã·ì϶ԴÓÚWeb ConsoleĬÈ϶³öµÄ/api/jolokia/JMX-HTTPÇŽӽӿڶÔÊäÈë²ÎÊýУÑé²»¼°£¬ÇÒĬÈÏJolokia½Ó¼ûÕ½ÊõÔÊÐíŲÓÃorg.apache.activemq:*ÓйØMBeanµÄexec²Ù×÷¡£¾­¹ýÉí·ÝÈÏÖ¤µÄ¹¥»÷Õß¿Éͨ¹ý»ú¹Ø¶ñÒâmasterslave://·¢ÏÖURI£¬´¥·¢VM TransportÖеÄbrokerConfig²ÎÊý¼ÓÔØSpring ResourceXmlApplicationContext£¬´Ó¶øÔÚBrokerServiceʵÏÖÅäÖÃУÑéǰÊ·ý»¯¶ñÒâBean²¢Ö´ÐÐRuntime.exec()µÈ²½Ö裬×îÖÕÔÚBroker JVMÖÐʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¹¥»÷Õ߳ɹ¦ÀûÓúó¿É½øÒ»²½½ÚÔìÐÂÎÅ·þÎñ¡¢ÇÔȡҵÎñÊý¾Ý»òºáÏòÉøÈëÄÚ²¿ÏµÍ³¡£

 


¶þ¡¢Ó°ÏìÁìÓò



Apache ActiveMQ Broker < 5.19.7

6.0.0 <= Apache ActiveMQ Broker < 6.2.6

Apache ActiveMQ All < 5.19.7

6.0.0 <= Apache ActiveMQ All < 6.2.6

Apache ActiveMQ < 5.19.7

6.0.0 <= Apache ActiveMQ < 6.2.6



Èý¡¢°²È«´ëÊ©



3.1 Éý¼¶°æ±¾


¹Ù·½ÒѰ䲼½¨¸´²¹¶¡£¬ÒÔ½¨¸´¸Ã·ì϶¡£

Apache ActiveMQ Broker >= 5.19.7

Apache ActiveMQ All >= 5.19.7

Apache ActiveMQ >= 5.19.7

»òÉý¼¶ÖÁ£º

Apache ActiveMQ Broker >= 6.2.6

Apache ActiveMQ All >= 6.2.6

Apache ActiveMQ >= 6.2.6

ÏÂÔØÁ´½Ó£º

https://activemq.apache.org/


3.2 һʱ´ëÊ©


ÔÝÎÞ¡£


3.3 ͨÓý¨Òé


¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬Ï÷¼õϵͳ·ì϶£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£

¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔ죬Åú¸Ä·À»ðǽսÊõ£¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ£¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø£¬Ï÷¼õ¹¥»÷Ãæ¡£

ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£

¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò£¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£

ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£


3.4 ²Î¿¼Á´½Ó


https://nvd.nist.gov/vuln/detail/CVE-2026-42588/

https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm