Hi, TomEE does not ship the ActiveMQ Web Console at all. TomEE Plus (and Plume) only bundle the following ActiveMQ artifacts: activemq-broker, activemq-client, activemq-ra, activemq-jdbc-store and activemq-openwire-legacy. The web console lives in separate artifacts (activemq-web-console / activemq-web, plus Jetty and Jolokia), and none of them are part of any TomEE distribution. That is also why you cannot find a jetty-realm file; there is no Jetty in TomEE Plus.
TomEE starts an embedded broker through the ActiveMQ resource adapter. The default configuration is BrokerXmlConfig broker:(tcp://localhost:61616)?useJmx=false so only port 61616 is opened. Additionally, TomEE's broker factory explicitly disables the JMX connector (ManagementContext.setCreateConnector(false)). So neither the web console nor the JMX/Jolokia layer the CVE relies on exists at runtime which matches your curl result on port 8161. To answer your question directly: yes, in a pure TomEE Plus context this CVE is a false positive . The only way to be exposed would be to deliberately deploy the ActiveMQ Web Console WAR yourself into TomEE and wire it to the embedded broker which is nothing TomEE does or documents. Gruß Richard > Am 28.05.2026 um 15:33 schrieb COURTAULT Francois > <[email protected]>: > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello everyone, > > I pursue my investigations about this CVE. > From the information I got from internet, my understanding is that ActiveMQ > could have 2 ports opened: > - 8161 for the ActiveMQ console > - 61616 for the message broker itself > > Is my understanding correct ? > > My TomEE Plus is running in a custom Docker container. > If I enter in this container and perform a curl -v -H 'Authorization: Basic > YWRtaW46YWRtaW4=' http://localhost:8161/admin, I get: > * Trying ::1:8161... > * connect to ::1 port 8161 failed: Connection refused > * Trying 127.0.0.1:8161... > * connect to 127.0.0.1 port 8161 failed: Connection refused > which means that the ActiveMQ console is not reachable. > > More I try to find jetty-real file but I can't find it in TomEE Plus. > > So all of these evidences make me think that CVE-2026-34197, in a pure TomEE > Plus context, is a false positive as the ActiveMQ console is not deployed. > Do you confirm ? > > Best regards. > > -----Original Message----- > From: COURTAULT Francois <[email protected]> > Sent: mercredi 27 mai 2026 18:53 > To: [email protected] > Subject: RE: [ANNOUNCE] Apache TomEE 10.1.5 > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello everyone, > > Forget my last post. > If I look at CVE-2026-34197, it requires user/password authentication on the > ActiveMQ console using the following URL: http://localhost:8161/admin and > then a call http://localhost:8161/api/jolokia/. > > I think that if we use any JMS APIs in our code, ActiveMQ will be started, > right ? > > The question is: does the ActiveMQ console start as well ? > If yes, is there a way to forbid the path api/jolokia access ? > > Best Regards. > > -----Original Message----- > From: COURTAULT Francois <[email protected]> > Sent: mercredi 27 mai 2026 18:22 > To: [email protected] > Subject: RE: [ANNOUNCE] Apache TomEE 10.1.5 > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello Richard, > > If I look at CVE-2026-34197, it requires user/password authentication using > the following URL: http://localhost:8161/admin and then a call > http://localhost:8161/api/jolokia/. > > But it seems that TomEE 10.0.1 doesn't start the ActiveMQ console. So, this > CVE is not present in TomEE, right ? > > Is there a way, using TomEE, to start the ActiveMQ console ? > If there is none then TomEE isn't affected by this CVE, right ? > > Best Regards. > > -----Original Message----- > From: Richard Zowalla <[email protected]> > Sent: mardi 5 mai 2026 12:32 > To: [email protected] > Subject: Re: [ANNOUNCE] Apache TomEE 10.1.5 > > Just replace the related jar files in the distribution. > >> Am 05.05.2026 um 12:27 schrieb COURTAULT Francois >> <[email protected]>: >> >> THALES GROUP LIMITED DISTRIBUTION to email recipients >> >> Hello, >> >> Congrats for this new release 😊 >> >> Regarding ActiveMQ, I agree that ActiveMQ 6.2.5 has been released 15 days >> after 6.2.4 so quite difficult to integrate in TomEE 10.1.5. >> Do you think there is high risk if I update ActiveMQ to 6.2.5 instead of >> 6.2.4 (7 jars to update) ? >> >> Why not integrating neethi 3.2.2 instead of neethi 3.2.1 which fixes 1 >> critical CVE: CVE-2026-42403 ? Is it because it hasn't been tag as Latest ? >> Same question: high risk if I update neethi 3.2.1 by neethi 3.2.2 ? >> >> Best Regards. >> >> -----Original Message----- >> From: Markus Jung <[email protected]> >> Sent: mardi 5 mai 2026 10:30 >> To: [email protected]; [email protected]; [email protected] >> Subject: [ANNOUNCE] Apache TomEE 10.1.5 >> >> The Apache TomEE team is pleased to announce the general availability of >> TomEE 10.1.5 >> >> Apache TomEE delivers enterprise application containers and services based >> on, but not limited to the Enterprise JavaBeans Specification and >> Java/Jakarta Enterprise Edition Specifications. >> >> This release ships fixes related to the implementation of the >> @OpenIdAuthenticationMechanismDefinition, fixes an issue with resource >> construction, has a small improvement in logging, and features the usual >> dependency upgrades. >> >> Full release notes: https://tomee.apache.org/10.1.5/release-notes.html >> >> Downloads are available at: https://tomee.apache.org/download.html >> >> - The Apache TomEE Team >> >> > > > >
