CVE-2023-44604

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.15.16 Apache ActiveMQ versions prior to 5.16.7 Apache ActiveMQ versions prior to 5.17.6 Apache ActiveMQ versions prior to 5.18.3

Description A new PoC exploit for the Apache ActiveMQ vulnerability allows attackers to remain undetected. Researchers from VulnCheck demonstrated a new technique that implements the vulnerability in Apache ActiveMQ to execute arbitrary code in memory. Despite the error being fixed by Apache in versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, the vulnerability continues to be actively exploited by operators of ransomware such as HelloKitty and TellYouThePass, as well as for the distribution of SparkRAT. The attackers rely on the initial PoC exploit, which was publicly disclosed on October 25, 2023. The ClassPathXmlApplicationContext and FileSystemXmlApplicationContext are used to load a malicious XML component configuration file via HTTP and achieve remote code execution without authentication on the server. The SpEL expression is embedded instead of the init-method attribute, allowing the attackers to avoid dropping malicious tools on the disk.

Recommendations For Apache ActiveMQ versions prior to 5.15.16, update to version 5.15.16 or later. For Apache ActiveMQ versions prior to 5.16.7, update to version 5.16.7 or later. For Apache ActiveMQ versions prior to 5.17.6, update to version 5.17.6 or later. For Apache ActiveMQ versions prior to 5.18.3, update to version 5.18.3 or later. As a temporary workaround, consider restricting access to the ClassPathXmlApplicationContext and FileSystemXmlApplicationContext to minimize the risk of exploitation. Avoid using the init-method attribute in the affected XML component configuration file until the issue is resolved.