Apache ActiveMQ Remote Code Execution Vulnerability and Mitigation for JDK8/Docker Environments

On October 26, 2023 a severe security vulnerability was disclosed in the popular open‑source, multi‑protocol, Java‑based message broker Apache ActiveMQ. Attackers can craft malicious requests to the default 61616 port, causing remote code execution and full control of the ActiveMQ server.

The vulnerability affects versions prior to the security releases Apache ActiveMQ 5.18.3, 5.17.6, 5.16.7, and 5.15.16. Users are advised to upgrade to any of these safe versions or newer.

Mitigation recommendations:

Upgrade ActiveMQ to a secure version (5.18.3, 5.17.6, 5.16.7, or later).

Configure security groups or firewalls so that the 61616 port is accessible only from trusted addresses.

For environments that rely on JDK 8 and run ActiveMQ inside Docker, official images for the required safe versions are not always available. The author therefore built a custom Docker image based on JDK 8 that includes ActiveMQ 5.16.7. The image can be pulled with the following command:

docker pull system63mush/activemq5.16.7-jdk8-1:latest

After pulling the image, it can be started directly (Dockerfile details are available by replying “df” to the associated public account).

In summary, promptly upgrading ActiveMQ, restricting network access, and using a hardened Docker image are essential steps to safeguard systems against this remote code execution flaw.