Apache ActiveMQ Code Injection Vulnerability Leading to Remote Code Execution

A code injection vulnerability allowing remote code execution has been identified in Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All, affecting versions prior to 5.19.6 and 6.0.0 versions prior to 6.2.5. This vulnerability arises from improper input validation, which an authenticated attacker can exploit via the admin web console. By crafting a malicious broker name that bypasses validation, the attacker can inject an xbean binding. This binding can be used by a VM transport to load a remote Spring XML application. Once loaded, the Spring 'ResourceXmlApplicationContext' executes all singleton beans before the BrokerService has a chance to validate the configuration, leading to arbitrary code execution on the broker's JVM through methods like 'Runtime.exec()'.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the broker's JVM, potentially leading to a complete compromise of the system running ActiveMQ.

Remediation

Users are advised to upgrade to Apache ActiveMQ version 6.2.5 or 5.19.6, both of which address this vulnerability.