> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Apache ActiveMQ is a popular open-source message broker that implements the Java Message Service (JMS) API. It plays a critical role as middleware, enabling reliable communication between distributed systems and applications.
Recently, Chaitin Security detected in-the-wild exploitation of a newly disclosed Remote Code Execution (RCE) vulnerability in ActiveMQ. Apache has since released patched versions, and we strongly recommend that all users upgrade immediately.
Our team analyzed the flaw as soon as we received intelligence and notified customers on October 19 to take defensive action. The official patched versions were released shortly after. To help the community, weβve also built both a remote detection tool (XPoC) and a local detection tool (Muyun) that are freely available.
Vulnerability Description
By default, ActiveMQ exposes port 61616. Unfortunately, this service does not adequately filter incoming data. Attackers can send specially crafted requests to this port and achieve remote code execution on the target server.
Detection Tools
Muyun Local Scanner
You can test your local environment with the following command:
./activemq_broker_rce_ct_855664_scanner_linux_amd64
π₯ Download here:
(XPoC remote scanner will be released later this week along with the updated version.)
Affected Versions
The following versions are vulnerable:
- ActiveMQ < 5.18.3
- ActiveMQ < 5.17.6
Mitigation & Fix
Temporary Mitigation
Restrict access to port 61616 using network ACLs. For example, allow only trusted IP addresses or specific subnets.
Permanent Fix
Apache has released patched versions. Upgrade as soon as possible:
- Update to 5.17.6 or higher
- Update to 5.18.3 or higher
π Download official releases
Product Support
- Yuntu: Supports fingerprinting + PoC-based detection
- Dongjian: Supported since engine v6.14.0
- Quanxi: Detection rules have been released
- Muyun: From platform v23.05.001 and above, users can update via the βEmergency Vulnerabilityβ feature. Earlier versions should contact Muyun technical support.
Timeline
- Aug 30 β Chaitin Emergency Lab reproduced and analyzed the vulnerability
- Oct 18 β In-the-wild exploitation detected
- Oct 19 β Vendor and customers notified; product protections deployed
- Oct 25 β Vulnerability publicly disclosed
- Oct 25 β Chaitin Emergency Response Center issued security advisory
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (1)
It is really interesting.