DESCRIPTION:
A vulnerability (CVE-2023-46604) exists in Apache ActiveMQ may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
AFFECTED RELEASES:
ActiveMQ version 5.15.15 and below
ActiveMQ version 5.16.0 to 5.16.6
ActiveMQ version 5.17.0 to 5.17.5
ActiveMQ version 5.18.0 to 5.18.2
ActiveMQ Artemis version 2.31.1 and below
Apache ActiveMQ Legacy OpenWire Module version 5.18.0 to 5.18.2
Apache ActiveMQ Legacy OpenWire Module version 5.17.0 to 5.17.5
Apache ActiveMQ Legacy OpenWire Module version 5.16.0 to 5.16.6
Apache ActiveMQ Legacy OpenWire Module version 5.8.0 to 5.15.15
SOLUTION:
Users and system administrators of affected products are advised to apply the security updates:
(1) ActiveMQ upgrade to version 5.15.16, 5.16.7, 5.17.6, and 5.18.3
(2) ActiveMQ Artemis upgrade to version 2.31.2
REFERENCE:
1. https://activemq.apache.org/news/cve-2023-46604
2. https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
3. https://nvd.nist.gov/vuln/detail/CVE-2023-46604#range-9726821
4. https://socradar.io/critical-rce-vulnerability-in-apache-activemq-is-targeted-by-hellokitty-ransomware-cve-2023-46604/
5. https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10785
6. https://www.ithome.com.tw/news/159685