Active Exploitation of Critical Vulnerability in Apache ActiveMQ

Published on 23 Nov 2023

Apache has released updates to address a critical  vulnerability (CVE-2023-46604) in Apache ActiveMQ. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10 and is reportedly being actively exploited.

Successful exploitation of the vulnerability in Java OpenWire protocol marshaller could allow a remote attacker with network access to a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialised class types in the OpenWire protocol.

The vulnerability affects the following product versions:

  • Apache ActiveMQ 5.18.0 - 5.18.3
  • Apache ActiveMQ 5.17.0 - 5.17.6
  • Apache ActiveMQ 5.16.0 - 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 - 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 - 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 - 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 - 5.15.16

Users and administrators of affected products are advised to upgrade both Java OpenWire brokers and clients to the latest versions immediately.

More information is available here: