CVE-2023-46604

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.15.16 Apache ActiveMQ versions prior to 5.16.7 Apache ActiveMQ versions prior to 5.17.6 Apache ActiveMQ versions prior to 5.18.3

Description The Java OpenWire protocol marshaller in Apache ActiveMQ is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker to instantiate any class on the classpath. The estimated number of potentially affected devices worldwide is over 3,000 servers. There have been real-world incidents where this issue was exploited, including the installation of HelloKitty ransomware and other malware.

Recommendations To resolve the issue for each affected version, users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. As a temporary workaround, consider disabling the vulnerable OpenWire protocol until a patch is available. Restrict access to the vulnerable Apache ActiveMQ servers to minimize the risk of exploitation. Avoid using the vulnerable Java OpenWire protocol marshaller in the affected Apache ActiveMQ versions until the issue is resolved.