THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello everyone,
I pursue my investigations about this CVE.
From the information I got from internet, my understanding is that ActiveMQ
could have 2 ports opened:
- 8161 for the ActiveMQ console
- 61616 for the message broker itself
Is my understanding correct ?
My TomEE Plus is running in a custom Docker container.
If I enter in this container and perform a curl -v -H 'Authorization: Basic
YWRtaW46YWRtaW4=' http://localhost:8161/admin, I get:
* Trying ::1:8161...
* connect to ::1 port 8161 failed: Connection refused
* Trying 127.0.0.1:8161...
* connect to 127.0.0.1 port 8161 failed: Connection refused
which means that the ActiveMQ console is not reachable.
More I try to find jetty-real file but I can't find it in TomEE Plus.
So all of these evidences make me think that CVE-2026-34197, in a pure TomEE
Plus context, is a false positive as the ActiveMQ console is not deployed.
Do you confirm ?
Best regards.
-----Original Message-----
From: COURTAULT Francois <[email protected]>
Sent: mercredi 27 mai 2026 18:53
To: [email protected]
Subject: RE: [ANNOUNCE] Apache TomEE 10.1.5
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello everyone,
Forget my last post.
If I look at CVE-2026-34197, it requires user/password authentication on the
ActiveMQ console using the following URL: http://localhost:8161/admin and then
a call http://localhost:8161/api/jolokia/.
I think that if we use any JMS APIs in our code, ActiveMQ will be started,
right ?
The question is: does the ActiveMQ console start as well ?
If yes, is there a way to forbid the path api/jolokia access ?
Best Regards.
-----Original Message-----
From: COURTAULT Francois <[email protected]>
Sent: mercredi 27 mai 2026 18:22
To: [email protected]
Subject: RE: [ANNOUNCE] Apache TomEE 10.1.5
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello Richard,
If I look at CVE-2026-34197, it requires user/password authentication using
the following URL: http://localhost:8161/admin and then a call
http://localhost:8161/api/jolokia/.
But it seems that TomEE 10.0.1 doesn't start the ActiveMQ console. So, this CVE
is not present in TomEE, right ?
Is there a way, using TomEE, to start the ActiveMQ console ?
If there is none then TomEE isn't affected by this CVE, right ?
Best Regards.
-----Original Message-----
From: Richard Zowalla <[email protected]>
Sent: mardi 5 mai 2026 12:32
To: [email protected]
Subject: Re: [ANNOUNCE] Apache TomEE 10.1.5
Just replace the related jar files in the distribution.
> Am 05.05.2026 um 12:27 schrieb COURTAULT Francois
> <[email protected]>:
>
> THALES GROUP LIMITED DISTRIBUTION to email recipients
>
> Hello,
>
> Congrats for this new release 😊
>
> Regarding ActiveMQ, I agree that ActiveMQ 6.2.5 has been released 15 days
> after 6.2.4 so quite difficult to integrate in TomEE 10.1.5.
> Do you think there is high risk if I update ActiveMQ to 6.2.5 instead of
> 6.2.4 (7 jars to update) ?
>
> Why not integrating neethi 3.2.2 instead of neethi 3.2.1 which fixes 1
> critical CVE: CVE-2026-42403 ? Is it because it hasn't been tag as Latest ?
> Same question: high risk if I update neethi 3.2.1 by neethi 3.2.2 ?
>
> Best Regards.
>
> -----Original Message-----
> From: Markus Jung <[email protected]>
> Sent: mardi 5 mai 2026 10:30
> To: [email protected]; [email protected]; [email protected]
> Subject: [ANNOUNCE] Apache TomEE 10.1.5
>
> The Apache TomEE team is pleased to announce the general availability of
> TomEE 10.1.5
>
> Apache TomEE delivers enterprise application containers and services based
> on, but not limited to the Enterprise JavaBeans Specification and
> Java/Jakarta Enterprise Edition Specifications.
>
> This release ships fixes related to the implementation of the
> @OpenIdAuthenticationMechanismDefinition, fixes an issue with resource
> construction, has a small improvement in logging, and features the usual
> dependency upgrades.
>
> Full release notes: https://tomee.apache.org/10.1.5/release-notes.html
>
> Downloads are available at: https://tomee.apache.org/download.html
>
> - The Apache TomEE Team
>
>
