CVE-2023-46604

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.15.16 Apache ActiveMQ versions 5.16.x through 5.16.6 Apache ActiveMQ versions 5.17.x through 5.17.5 Apache ActiveMQ versions 5.18.x through 5.18.2 Bamboo Data Center (affected versions not specified) Bamboo Server (affected versions not specified) Delta Electronics InfraSuite Device Master (affected versions not specified)

Description The Java OpenWire protocol marshaller is susceptible to remote code execution due to the deserialization of untrusted data. A remote attacker with network access to a Java-based OpenWire broker or client can execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, forcing the application to instantiate any class on the classpath. Technical exploitation involves using a maliciously crafted OpenWire command and leveraging Java Spring classes, such as ClassPathXmlApplicationContext or FileSystemXmlApplicationContext, to load malicious XML configuration files via HTTP or embed SpEL expressions in the init-method attribute to achieve execution in memory.

Approximately 3,000 servers worldwide, primarily in China, the USA, and Russia, have been identified as vulnerable. Real-world incidents include attacks by threat actors such as Andariel and the deployment of LockBit, HelloKitty, and TellYouThePass ransomware, as well as SparkRAT and Cobalt Strike. In one instance, attackers used certutil.exe to drop a Metasploit stager and later utilized RDP and the SystemSettingsAdminFlows.exe LOLBIN to disable Windows Defender and encrypt the environment.

Recommendations Upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Upgrade Bamboo Data Center and Server to versions 9.2.7, 9.3.5, 9.4.1 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability for Delta Electronics InfraSuite Device Master.