Add ActiveMQ Jolokia RCE Detection Module (CVE-2026-34197) (Fixes #1507)

[Aarush289]

Proposed change

Adds a new Nettacker module to detect CVE-2026-34197 in Apache ActiveMQ via the Jolokia API.
Tested against local vulnerable instance
Fixes #1507

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

Walkthrough

Added a new YAML vulnerability detection module for CVE-2026-34197 (Jolokia RCE in Apache ActiveMQ Classic) and a documentation entry registering that module. The module defines HTTP POST Jolokia exec payloads, headers, target ports/schemes, and response-match rules.

Changes

Cohort / File(s)	Summary
Documentation docs/Modules.md	Inserted a new entry under "Vuln Modules" documenting activemq_cve_2026_34197_jolokia_rce_vuln.
Vulnerability Module nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml	Added new YAML vuln module with metadata, detection profiles, two HTTP POST payloads to /api/jolokia/ (iterating http/https and ports 8161,80,443), JSON Jolokia exec invoking addNetworkConnector, headers (one request includes Basic auth), and response checks requiring HTTP 200 and body evidence for addNetworkConnector and org.apache.activemq.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

new module, multi-step-module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: adding a new ActiveMQ Jolokia RCE detection module for CVE-2026-34197. It is specific, concise, and directly reflects the content of the pull request.
Description check	✅ Passed	The PR description clearly describes adding a new Nettacker module to detect CVE-2026-34197 in Apache ActiveMQ via Jolokia API, which aligns with the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml (1)

62-67: Tighten response matching to reduce false positives.

Current checks are broad (regex: '200' and loose content lookahead). Prefer exact status and Jolokia-specific JSON indicators (e.g., "status":200, expected request/value fields).

🎯 Suggested matcher hardening

         response:
           condition_type: and
           conditions:
             status_code:
-              regex: '200'
+              regex: '^200$'
               reverse: false
             content:
-              regex: '(?s)(?=.*addNetworkConnector)(?=.*org.apache.activemq)'
+              regex: '(?s)(?=.*"status"\s*:\s*200)(?=.*addNetworkConnector)(?=.*org\.apache\.activemq)'
               reverse: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml` around lines
62 - 67, The current matcher in the YAML uses a loose status_code regex '200'
and a broad content lookahead which causes false positives; update the
status_code matcher (symbol: status_code.regex) to require an exact HTTP status
(e.g., '^200$' or a JSON `"status":\s*200` pattern) and tighten the content
matcher (symbol: content.regex) to look for Jolokia-specific JSON fields such as
`"request"` and `"value"` together with the expected payload (e.g., ensure both
`"request":.*addNetworkConnector"` and `"value":.*org.apache.activemq"` or a
combined pattern that matches
`"status":\s*200.*"request":.*addNetworkConnector.*"value":.*org.apache.activemq`),
keeping reverse flags unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml`:
- Line 34: The YAML contains a hardcoded Authorization header value
"Authorization: \"Basic YWRtaW46YWRtaW4=\"" (admin:admin) which must be removed
from a generic detector; instead make the Authorization header
optional/configurable and do not send a default credential. Update the
activemq_cve_2026_34197_jolokia_rce.yaml template to omit the Authorization line
unless a runtime-configured credential is provided (e.g., replace the literal
with a placeholder/variable such as an injected AUTH_HEADER or conditionally
include the header only when credentials are supplied), and ensure any default
credential list is configurable and documented rather than baked into the
detector.
- Around line 51-57: The payload is performing a state-changing exec
("operation": "addNetworkConnector") against the MBean
org.apache.activemq:type=Broker,brokerName=localhost which is unsafe for
non-invasive scans; change the Jolokia request in the YAML to use a read or list
operation (e.g., "operation": "read" or "operation": "list") against the same
mbean or relevant attribute instead of using the exec addNetworkConnector call
so the scanner performs read-only detection only.

---

Nitpick comments:
In `@nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml`:
- Around line 62-67: The current matcher in the YAML uses a loose status_code
regex '200' and a broad content lookahead which causes false positives; update
the status_code matcher (symbol: status_code.regex) to require an exact HTTP
status (e.g., '^200$' or a JSON `"status":\s*200` pattern) and tighten the
content matcher (symbol: content.regex) to look for Jolokia-specific JSON fields
such as `"request"` and `"value"` together with the expected payload (e.g.,
ensure both `"request":.*addNetworkConnector"` and
`"value":.*org.apache.activemq"` or a combined pattern that matches
`"status":\s*200.*"request":.*addNetworkConnector.*"value":.*org.apache.activemq`),
keeping reverse flags unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3b4ece0c-c598-419c-8c61-19c62dfc8fcf

📥 Commits

Reviewing files that changed from the base of the PR and between f3776b0 and 1a47bbf.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml