CVE-2023-46604 Apache ActiveMQ RCE vulnerability

Written by Joshua Cartlidge of the Kudelski Security Threat Detection & Research Team

---

Summary

On October 25, 2023, Apache disclosed an ActiveMQ Remote Code Execution (RCE) vulnerability CVE-2023-46604 and released newer ActiveMQ versions as a remedy. CVE-2023-46604 is attractive to attackers due to its impact and ease of exploitation. In addition, proof-of-concept exploit code and details are readily available, heightening the importance of mitigation.

Apache ActiveMQ is a scalable open-source message broker within an enterprise environment, facilitating communication between clients and servers supporting various cross-language clients such as Java, including varied protocols, AMQP, MQTT, OpenWire, and STOMP.

CVE-2023-46604 allows attackers to execute arbitrary commands by exploiting the serialized class types within the OpenWire protocol.

Affected Systems and/or Application

The following versions of ActiveMQ are affected:

• Apache ActiveMQ 5.18.0 before 5.18.3
• Apache ActiveMQ 5.17.0 before 5.17.6
• Apache ActiveMQ 5.16.0 before 5.16.7
• Apache ActiveMQ before 5.15.16
• Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Technical Details / Attack Overview

An attacker connected to OpenWire port 61616 can craft an OpenWire packet to unmarshall an ExceptionResponse object instance. By supplying an arbitrary class name as well as an arbitrary string parameter to the BaseDataStreamMarshaller.createThrowable, the attacker will, in turn, have access to an arbitrary class to be instantiated with a single command string parameter.

Solution

Kudelski Security strongly recommends patching impacted systems to prevent exploitation via the recommended upgrade versioning (5.15.16, 5.16.7, 5.17.6, and 5.18.3). 

What the Cyber Fusion Center (CFC) is doing

At the time of writing, vulnerability scan plugins for CVE-2023-46604 have been released. Upon completion of a vulnerability scan, clients with the relevant service will receive cases if applicable.

The CFC will continue to monitor the situation and decide on next steps like a threat hunting campaign if the relevant data are available and actionable.

Sources

• https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis
• https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604
• https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
• https://www.bleepingcomputer.com/news/security/3-000-apache-activemq-servers-vulnerable-to-rce-attacks-exposed-online