Published on 23 Nov 2023
Apache has released updates to address a critical vulnerability (CVE-2023-46604) in Apache ActiveMQ. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10 and is reportedly being actively exploited.
Successful exploitation of the vulnerability in Java OpenWire protocol marshaller could allow a remote attacker with network access to a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialised class types in the OpenWire protocol.
The vulnerability affects the following product versions:
Users and administrators of affected products are advised to upgrade both Java OpenWire brokers and clients to the latest versions immediately.
More information is available here:
https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt