# CVE-2026-42588 — Apache ActiveMQ Classic Jolokia addNetworkConnector RCE
# Vulnerable broker. Pinned to 6.1.4 (in affected range 6.0.0–6.2.5).
#
# This image is a thin, UNMODIFIED wrapper around the official Apache
# distribution image. We do NOT touch any conf file (jolokia-access.xml,
# jetty.xml, users.properties all stay stock) — the vulnerability lives in
# the stock default policy and must remain stock to be reproducible.
FROM apache/activemq-classic:6.1.4

# Stock image already sets -Djetty.host=0.0.0.0 in ACTIVEMQ_OPTS, so the web
# console / Jolokia bridge binds on all interfaces inside the container. We
# only publish it to 127.0.0.1 on the host (see docker-compose.yml).

# No CMD/ENTRYPOINT override: keep the stock entrypoint + `activemq console`.