Vulnerability Details CVE-2023-46604
The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 10.0
Proposed Action
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Ransomware Campaign
Known
References
- http://seclists.org/fulldisclosure/2024/Apr/18
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20231110-0010/
- https://www.openwall.com/lists/oss-security/2023/10/27/5
- http://seclists.org/fulldisclosure/2024/Apr/18
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20231110-0010/
- https://www.openwall.com/lists/oss-security/2023/10/27/5
Products affected by CVE-2023-46604
-
cpe:2.3:a:apache:activemq:-
-
cpe:2.3:a:apache:activemq:4.0
-
cpe:2.3:a:apache:activemq:4.0.1
-
cpe:2.3:a:apache:activemq:4.0.2
-
cpe:2.3:a:apache:activemq:4.1.0
-
cpe:2.3:a:apache:activemq:4.1.1
-
cpe:2.3:a:apache:activemq:4.1.2
-
cpe:2.3:a:apache:activemq:5.0.0
-
cpe:2.3:a:apache:activemq:5.1.0
-
cpe:2.3:a:apache:activemq:5.10.0
-
cpe:2.3:a:apache:activemq:5.10.1
-
cpe:2.3:a:apache:activemq:5.10.2
-
cpe:2.3:a:apache:activemq:5.11.0
-
cpe:2.3:a:apache:activemq:5.11.1
-
cpe:2.3:a:apache:activemq:5.11.2
-
cpe:2.3:a:apache:activemq:5.11.3
-
cpe:2.3:a:apache:activemq:5.12.0
-
cpe:2.3:a:apache:activemq:5.12.1
-
cpe:2.3:a:apache:activemq:5.12.2
-
cpe:2.3:a:apache:activemq:5.12.3
-
cpe:2.3:a:apache:activemq:5.13.0
-
cpe:2.3:a:apache:activemq:5.13.1
-
cpe:2.3:a:apache:activemq:5.13.2
-
cpe:2.3:a:apache:activemq:5.13.3
-
cpe:2.3:a:apache:activemq:5.13.4
-
cpe:2.3:a:apache:activemq:5.13.5
-
cpe:2.3:a:apache:activemq:5.14.0
-
cpe:2.3:a:apache:activemq:5.14.1
-
cpe:2.3:a:apache:activemq:5.14.2
-
cpe:2.3:a:apache:activemq:5.14.3
-
cpe:2.3:a:apache:activemq:5.14.4
-
cpe:2.3:a:apache:activemq:5.14.5
-
cpe:2.3:a:apache:activemq:5.15.0
-
cpe:2.3:a:apache:activemq:5.15.1
-
cpe:2.3:a:apache:activemq:5.15.10
-
cpe:2.3:a:apache:activemq:5.15.11
-
cpe:2.3:a:apache:activemq:5.15.12
-
cpe:2.3:a:apache:activemq:5.15.13
-
cpe:2.3:a:apache:activemq:5.15.14
-
cpe:2.3:a:apache:activemq:5.15.15
-
cpe:2.3:a:apache:activemq:5.15.2
-
cpe:2.3:a:apache:activemq:5.15.3
-
cpe:2.3:a:apache:activemq:5.15.4
-
cpe:2.3:a:apache:activemq:5.15.5
-
cpe:2.3:a:apache:activemq:5.15.6
-
cpe:2.3:a:apache:activemq:5.15.7
-
cpe:2.3:a:apache:activemq:5.15.8
-
cpe:2.3:a:apache:activemq:5.15.9
-
cpe:2.3:a:apache:activemq:5.16.0
-
cpe:2.3:a:apache:activemq:5.16.1
-
cpe:2.3:a:apache:activemq:5.16.2
-
cpe:2.3:a:apache:activemq:5.16.6
-
cpe:2.3:a:apache:activemq:5.17.0
-
cpe:2.3:a:apache:activemq:5.17.4
-
cpe:2.3:a:apache:activemq:5.18.0
-
cpe:2.3:a:apache:activemq:5.2.0
-
cpe:2.3:a:apache:activemq:5.3.0
-
cpe:2.3:a:apache:activemq:5.3.1
-
cpe:2.3:a:apache:activemq:5.3.2
-
cpe:2.3:a:apache:activemq:5.4.0
-
cpe:2.3:a:apache:activemq:5.4.1
-
cpe:2.3:a:apache:activemq:5.4.2
-
cpe:2.3:a:apache:activemq:5.4.3
-
cpe:2.3:a:apache:activemq:5.5.0
-
cpe:2.3:a:apache:activemq:5.5.1
-
cpe:2.3:a:apache:activemq:5.6.0
-
cpe:2.3:a:apache:activemq:5.7.0
-
cpe:2.3:a:apache:activemq:5.8.0
-
cpe:2.3:a:apache:activemq:5.9.0
-
cpe:2.3:a:apache:activemq:5.9.1
-
cpe:2.3:a:apache:activemq_legacy_openwire_module:*
-
cpe:2.3:a:apache:activemq_legacy_openwire_module:5.16.0
-
cpe:2.3:a:apache:activemq_legacy_openwire_module:5.17.0
-
cpe:2.3:a:apache:activemq_legacy_openwire_module:5.18.0
-
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-
-
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-
-
cpe:2.3:a:netapp:santricity_storage_plugin:-
-
cpe:2.3:o:debian:debian_linux:10.0