vulnerability
Apache ActiveMQ: CVE-2023-46604: Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a remote code execution (RCE) attack
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:P/I:C/A:C) | 10/27/2023 | 11/01/2023 | 02/17/2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:P/I:C/A:C)
Published
10/27/2023
Added
11/01/2023
Modified
02/17/2025
Description
The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
Solution
apache-activemq-upgrade-latest
References
- CVE-2023-46604
- https://attackerkb.com/topics/CVE-2023-46604
- URL-http://seclists.org/fulldisclosure/2024/Apr/18
- URL-https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- URL-https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- URL-https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- URL-https://security.netapp.com/advisory/ntap-20231110-0010/
- URL-https://www.openwall.com/lists/oss-security/2023/10/27/5
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.