It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service
listening on all network interfaces and allowing for unauthenticated access.
Achieving system command execution is as simple as querying JMX for the RMI
registry endpoint port number, setting up a local proxy, deploying and
executing a malicious managed bean as outlined in this blog post.
It may be worth revising the way you ship ActiveMQ and eventually consider
limiting JMX access to localhost.
The commands below bring up ActiveMQ using the default configuration.
$ sudo ln -s /etc/activemq/instances-available/main
$ sudo /etc/init.d/activemq start
* Starting ActiveMQ instance activemq [ OK ]
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.