Add ActiveMQ Jolokia RCE Detection Module (CVE-2026-34197) (Fixes #1507)

docs/Modules.md

@@ -129,6 +129,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 
 ## Vuln Modules
 
+- '**activemq_cve_2026_34197_jolokia_rce_vuln**' - check Jolokia endpoint for RCE vulnerability CVE-2026-34197
 - '**aiohttp_cve_2024_23334_vuln**' - check the target for CVE-2024-23334
 - '**apache_ofbiz_cve_2024_38856**' - check the target for Apache OFBiz CVE-2024-38856
 - '**apache_struts_vuln**' - check Apache Struts for CVE-2017-5638

nettacker/modules/vuln/activemq_cve_2026_34197_jolokia_rce.yaml

@@ -0,0 +1,106 @@
+info:
+  name: activemq_cve_2026_34197_jolokia_rce_vuln
+  author: Nettacker Team
+  severity: 8.8
+  description: |
+    Detects CVE-2026-34197 in Apache ActiveMQ Classic via Jolokia API.
+    The vulnerability allows execution of addNetworkConnector which can
+    load remote configuration via vm:// and xbean: protocol.
+    This module sends a safe detection payload and checks for successful
+    execution indicators in the response.
+
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-34197
+    - https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
+
+  profiles:
+    - vuln
+    - http
+    - high_severity
+    - cve
+    - cve2026
+    - activemq
+    - jolokia
+    - rce
+
+payloads:
+  - library: http
+    steps:
+      - method: post
+        timeout: 10
+        headers:
+          User-Agent: "{user_agent}"
+          Content-Type: "application/json"
+          Authorization: "Basic YWRtaW46YWRtaW4="
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/api/jolokia/"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 8161
+                - 80
+                - 443
+
+        data: |
+          {{
+            "type": "exec",
+            "mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
+            "operation": "addNetworkConnector",
+            "arguments": ["static:(vm://nettacker-probe-000?brokerConfig=none)"]
+          }}
+
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '200'
+              reverse: false
+            content:
+              regex: '(?s)(?=.*addNetworkConnector)(?=.*org.apache.activemq)'
+              reverse: false
+
+      - method: post
+        timeout: 10
+        headers:
+          User-Agent: "{user_agent}"
+          Content-Type: "application/json"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/api/jolokia/"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 8161
+                - 80
+                - 443
+
+        data: |
+          {{
+            "type": "exec",
+            "mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
+            "operation": "addNetworkConnector",
+            "arguments": ["static:(vm://nettacker-probe-000?brokerConfig=none)"]
+          }}
+
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '200'
+              reverse: false
+            content:
+              regex: '(?s)(?=.*addNetworkConnector)(?=.*org.apache.activemq)'
+              reverse: false