On October 25, 2023, a critical vulnerability in the open source message broker Apache ActiveMQ was disclosed. The vulnerability is listed with the CVE number CVE-2023-46604 and has a CVSS rating of 10.0 ("critical"). It allows remote attackers with network access to an ActiveMQ broker to execute arbitrary shell commands. By manipulating serialized class types in the OpenWire protocol, arbitrary classes can be instantiated in the classpath. The vulnerability is caused by insecure deserialization (CWE-502). [...]
Which versions are affected:
- Apache ActiveMQ 5.18.0 vor 5.18.3
- Apache ActiveMQ 5.17.0 vor 5.17.6
- Apache ActiveMQ 5.16.0 vor 5.16.7
- Apache ActiveMQ vor 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 vor 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 vor 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 vor 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 vor 5.15.16
What needs to be done:
Patches are already available to fix these vulnerabilities. A detailed overview of IOCs (Indicators of Compromise) and further information can be found in the attached BSI document.