Add ActiveMQ Jolokia RCE Detection Module (CVE-2026-34197) (Fixes #1507)

[Aarush289]

Proposed change

Adds a new Nettacker module to detect CVE-2026-34197 in Apache ActiveMQ via the Jolokia API.
Tested against local vulnerable instance
Fixes #1507

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8e34296c-2426-4549-9745-db5476ffa391

📥 Commits

Reviewing files that changed from the base of the PR and between a2157ee and 1422b65.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml

---

Summary by CodeRabbit

• New Features

  • Added detection for Apache ActiveMQ Classic Jolokia remote code execution vulnerability (CVE-2026-34197).

• Documentation

  • Updated vulnerability modules documentation to reflect new ActiveMQ detection capability.

Walkthrough

Adds a new Nettacker vulnerability module for CVE-2026-34197 (Apache ActiveMQ Jolokia RCE) and registers it in docs/Modules.md. The module defines two HTTP POST detection steps to /api/jolokia/ (http/https; ports 8161, 80, 443) checking for HTTP 200 and specific response strings.

Changes

ActiveMQ CVE-2026-34197 module

Layer / File(s)	Summary
Module metadata nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml	Defines info metadata for the activemq_cve_2026_34197_jolokia_rce_vuln module (name, author, severity, description, references, profiles).
Payload step 1 (auth) nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml	Adds HTTP POST detection step to {schema}://{target}:{ports}/api/jolokia/ with Basic Authorization, executes Jolokia exec addNetworkConnector, expects HTTP 200 and response containing addNetworkConnector and org.apache.activemq.
Payload step 2 (no-auth) nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml	Adds same HTTP POST detection step without Authorization header; same matching conditions.
Docs registration docs/Modules.md	Inserted activemq_cve_2026_34197_jolokia_rce_vuln into the "Vuln Modules" list (single-line docs update).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OWASP/Nettacker#1270 — Edits docs/Modules.md vulnerability list and touches the module catalog.

Suggested labels

new module, documentation

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a new ActiveMQ Jolokia RCE detection module for CVE-2026-34197.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the new module addition, testing performed, and linking to issue #1507.
Linked Issues check	✅ Passed	The PR fully addresses the requirement from issue #1507 by implementing a Nettacker module to detect CVE-2026-34197 via the Jolokia API.
Out of Scope Changes check	✅ Passed	All changes are in-scope: the new vulnerability detection module and updated documentation directly align with the linked issue requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce_vuln`:
- Line 54: The module hardcodes the MBean ObjectName
("org.apache.activemq:type=Broker,brokerName=localhost") which only detects
brokers using the default brokerName; update the module
activemq_cve_2026_34197_jolokia_rce_vuln to either (A) document this limitation
in the module description or (B) implement broker-name discovery before
exploitation by calling Jolokia's "list" operation to enumerate
org.apache.activemq:type=Broker entries, extract the actual brokerName, and
template that value into the MBean string used for the exploit payload; locate
references to the literal "org.apache.activemq:type=Broker,brokerName=localhost"
and replace with a discovered/template variable or add the documentation note.
- Around line 5-10: Update the module description (the YAML "description" block)
to remove the claim that the probe is safe/read-only and instead clearly state
that the module invokes addNetworkConnector via Jolokia which will create a
persistent network connector entry (e.g.
"static:(vm://nettacker-probe-000?brokerConfig=none)") that remains until broker
restart or explicit removal and which the broker will attempt to start; mention
this is the reliable detection path for CVE-2026-34197 and warn operators not to
run against production brokers unless they accept these side effects.
- Line 1: The module file missing the .yaml extension will not be loaded by the
TemplateLoader; rename the file from activemq_cve_2026_34197_jolokia_rce_vuln to
activemq_cve_2026_34197_jolokia_rce_vuln.yaml so it matches other vulnerability
modules and the loader’s expected pattern; ensure any references to the module
name in the repo (if any) are updated to the new filename so registration works
correctly.
- Around line 26-106: Split the single payload that contains two post steps into
two independent payloads: one payload that includes the Authorization header
("Authorization: \"Basic YWRtaW46YWRtaW4=\"") and targets the nettacker_fuzzer
URL with the exec addNetworkConnector data, and a separate payload that omits
the Authorization header but otherwise uses the same method/post, timeout,
headers (User-Agent, Content-Type), url (nettacker_fuzzer), and JSON data (type
exec, mbean org.apache.activemq:type=Broker,brokerName=localhost, operation
addNetworkConnector, arguments
["static:(vm://nettacker-probe-000?brokerConfig=none)"]); ensure each payload
has its own response checks (status_code 200 and content regex matching
addNetworkConnector and org.apache.activemq) so one can succeed/fail
independently, and optionally gate the unauthenticated payload to run only if
the authenticated payload fails to avoid double-mutating the broker state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a014e098-47d6-4992-84da-cf54fb8d5695

📥 Commits

Reviewing files that changed from the base of the PR and between d873811 and c6f3ac4.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce_vuln

[coderabbitai]

♻️ Duplicate comments (3)

nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml (3)

5-10: ⚠️ Potential issue | 🟡 Minor

Description still misleadingly calls the probe "safe".

addNetworkConnector is a state-mutating operation: on a vulnerable broker this call creates a persistent network connector entry (static:(vm://nettacker-probe-000?brokerConfig=none)) that the broker will attempt to start and that survives until restart or manual removal. Please update the description to reflect this so operators don't run the module against production brokers expecting it to be side-effect free.

📝 Suggested wording

   description: |
     Detects CVE-2026-34197 in Apache ActiveMQ Classic via Jolokia API.
     The vulnerability allows execution of addNetworkConnector which can
     load remote configuration via vm:// and xbean: protocol.
-    This module sends a safe detection payload and checks for successful
-    execution indicators in the response.
+    Detection invokes addNetworkConnector via the Jolokia exec API with a
+    benign vm:// URI (brokerConfig=none); patched brokers (5.19.4 / 6.2.3)
+    reject vm:// transport for this operation.
+    Note: on vulnerable brokers this creates a persistent network connector
+    entry that remains until broker restart or manual removal.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml` around lines
5 - 10, Update the module description to remove the claim that the probe is
"safe" and explicitly state that invoking addNetworkConnector is state-mutating:
it will create a persistent network connector entry (e.g.
static:(vm://nettacker-probe-000?brokerConfig=none)) that the broker will
attempt to start and which persists until broker restart or manual removal;
ensure the description around the detection payload and response checks
(referencing addNetworkConnector) warns operators not to run this against
production brokers expecting side-effect-free behavior.

---

26-106: ⚠️ Potential issue | 🟠 Major

Authenticated and unauthenticated probes should be separate payloads.

Both probes are still nested as two steps: under a single payload. They target distinct deployment shapes (default-credential brokers vs. CVE-2024-32114-affected unauth Jolokia in 6.0.0–6.1.1), so on an auth-required broker step 2 will always 401 and never match even when step 1 succeeds — and vice versa on an unauth instance. Splitting them into two independent payloads lets each succeed/fail on its own and keeps reporting clean. Optionally gate the unauth payload on the auth payload failing to avoid double-mutating vulnerable brokers.

♻️ Restructure into two payloads

 payloads:
   - library: http
     steps:
       - method: post
         timeout: 10
         headers:
           User-Agent: "{user_agent}"
           Content-Type: "application/json"
           Authorization: "Basic YWRtaW46YWRtaW4="
         ssl: false
         url:
           nettacker_fuzzer:
             input_format: "{{schema}}://{target}:{{ports}}/api/jolokia/"
             prefix: ""
             suffix: ""
             interceptors:
             data:
               schema:
                 - "http"
                 - "https"
               ports:
                 - 8161
                 - 80
                 - 443
         data: |
           {{
             "type": "exec",
             "mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
             "operation": "addNetworkConnector",
             "arguments": ["static:(vm://nettacker-probe-000?brokerConfig=none)"]
           }}
         response:
           condition_type: and
           conditions:
             status_code:
               regex: '200'
               reverse: false
             content:
               regex: '(?s)(?=.*addNetworkConnector)(?=.*org.apache.activemq)'
               reverse: false
-
-      - method: post
+
+  - library: http
+    steps:
+      - method: post
         timeout: 10
         headers:
           User-Agent: "{user_agent}"
           Content-Type: "application/json"
         ssl: false
         url:
           nettacker_fuzzer:
             input_format: "{{schema}}://{target}:{{ports}}/api/jolokia/"
             prefix: ""
             suffix: ""
             interceptors:
             data:
               schema:
                 - "http"
                 - "https"
               ports:
                 - 8161
                 - 80
                 - 443
         data: |
           {{
             "type": "exec",
             "mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
             "operation": "addNetworkConnector",
             "arguments": ["static:(vm://nettacker-probe-000?brokerConfig=none)"]
           }}
         response:
           condition_type: and
           conditions:
             status_code:
               regex: '200'
               reverse: false
             content:
               regex: '(?s)(?=.*addNetworkConnector)(?=.*org.apache.activemq)'
               reverse: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml` around lines
26 - 106, The current payload bundles both authenticated and unauthenticated
probes as two steps under a single payload, which causes false negatives because
an auth-required broker will 401 on the unauth step and an unauthenticated
Jolokia will 401 on the auth step; split them into two separate payload objects
under "payloads": one payload containing the post step that includes the
Authorization header (the authenticated probe) and a second payload containing
the post step without Authorization (the unauthenticated probe), preserving the
same url, data and response checks for each; optionally implement a gating
mechanism so the unauth payload only runs if the authenticated payload fails
(keep the existing "method: post" blocks, headers entries and response checks
intact but move each into its own top-level payload entry).

---

54-54: ⚠️ Potential issue | 🟡 Minor

Hardcoded brokerName=localhost will miss customized brokers.

Operators who set a non-default <broker brokerName="..."> in activemq.xml will not match this MBean ObjectName and the module will report no vulnerability even when the broker is exploitable. Acceptable as a baseline, but please at minimum document this limitation in the description, or consider a follow-up that issues a Jolokia list/search to discover the actual broker name and templates it into the exec payload.

Also applies to line 93.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml` at line 54,
The hardcoded MBean ObjectName "mbean":
"org.apache.activemq:type=Broker,brokerName=localhost" (and its duplicate
occurrence) will miss non-default brokerName values; either update the module to
discover broker names via a Jolokia list/search and template the actual
brokerName into the payload before use, or at minimum document this limitation
in the module description. Locate the "mbean" entries in
activemq_cve_2026_34197_jolokia_rce.yaml and replace the fixed brokerName with a
discovery step that queries Jolokia for
"org.apache.activemq:type=Broker,brokerName=*" and extracts the real brokerName
to use, or change the mbean to use a wildcard form and ensure the rest of the
payload accepts a discovered brokerName, and add clear documentation in the
description about the prior localhost-only assumption.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml`:
- Around line 5-10: Update the module description to remove the claim that the
probe is "safe" and explicitly state that invoking addNetworkConnector is
state-mutating: it will create a persistent network connector entry (e.g.
static:(vm://nettacker-probe-000?brokerConfig=none)) that the broker will
attempt to start and which persists until broker restart or manual removal;
ensure the description around the detection payload and response checks
(referencing addNetworkConnector) warns operators not to run this against
production brokers expecting side-effect-free behavior.
- Around line 26-106: The current payload bundles both authenticated and
unauthenticated probes as two steps under a single payload, which causes false
negatives because an auth-required broker will 401 on the unauth step and an
unauthenticated Jolokia will 401 on the auth step; split them into two separate
payload objects under "payloads": one payload containing the post step that
includes the Authorization header (the authenticated probe) and a second payload
containing the post step without Authorization (the unauthenticated probe),
preserving the same url, data and response checks for each; optionally implement
a gating mechanism so the unauth payload only runs if the authenticated payload
fails (keep the existing "method: post" blocks, headers entries and response
checks intact but move each into its own top-level payload entry).
- Line 54: The hardcoded MBean ObjectName "mbean":
"org.apache.activemq:type=Broker,brokerName=localhost" (and its duplicate
occurrence) will miss non-default brokerName values; either update the module to
discover broker names via a Jolokia list/search and template the actual
brokerName into the payload before use, or at minimum document this limitation
in the module description. Locate the "mbean" entries in
activemq_cve_2026_34197_jolokia_rce.yaml and replace the fixed brokerName with a
discovery step that queries Jolokia for
"org.apache.activemq:type=Broker,brokerName=*" and extracts the real brokerName
to use, or change the mbean to use a wildcard form and ensure the rest of the
payload accepts a discovered brokerName, and add clear documentation in the
description about the prior localhost-only assumption.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b480af5a-4bb4-4b44-abfb-7850c26e6ef6

📥 Commits

Reviewing files that changed from the base of the PR and between c6f3ac4 and dbdd592.

📒 Files selected for processing (1)

• nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml

[securestep9]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.