Active Exploitation of Critical Vulnerability in Apache ActiveMQ

Published on 23 Nov 2023 | Updated on 23 Nov 2023

Apache has released updates to address a critical  vulnerability (CVE-2023-46604) in Apache ActiveMQ. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10 and is reportedly being actively exploited.

Successful exploitation of the vulnerability in Java OpenWire protocol marshaller could allow a remote attacker with network access to a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialised class types in the OpenWire protocol.

The vulnerability affects the following product versions:

  • Apache ActiveMQ 5.18.0 - 5.18.3
  • Apache ActiveMQ 5.17.0 - 5.17.6
  • Apache ActiveMQ 5.16.0 - 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 - 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 - 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 - 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 - 5.15.16

Users and administrators of affected products are advised to upgrade both Java OpenWire brokers and clients to the latest versions immediately.

More information is available here:

https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604

https://nvd.nist.gov/vuln/detail/CVE-2023-46604

https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt