Improper Control of Generation of Code ('Code Injection')

Summary

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker and Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at "/api/jolokia/" on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans "org.apache.activemq:*", including "BrokerService.addNetworkConnector(String)" and "BrokerService.addConnector(String)". An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's "brokerConfig" parameter to load a remote Spring XML application context using "ResourceXmlApplicationContext". Because Spring's "ResourceXmlApplicationContext" instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as "Runtime.exec()". This issue affects Apache ActiveMQ Broker versions prior to 5.19.4 and 6.0.0 prior to 6.2.3; Apache ActiveMQ All versions prior to 5.19.4 and 6.0.0 prior to 6.2.3; Apache ActiveMQ versions prior to 5.19.4 and 6.0.0 prior to 6.2.3.