Aperçu
Apache ActiveMQ contains a critical remote code execution vulnerability in the OpenWire protocol caused by improper validation of serialized class types. Remote attackers can exploit this vulnerability to execute arbitrary shell commands without authentication, leading to complete system compromise. La vulnérabilité a été divulguée le October 27, 2023. CISA a identifié CVE-2023-46604 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Apache ActiveMQ is vulnerable to remote code execution through the OpenWire protocol, which is the default wire protocol used for client-to-broker and broker-to-broker communication. The vulnerability exists in the ClassPathXmlApplicationContext class instantiation mechanism, which allows attackers to specify arbitrary Spring XML configuration URLs. An attacker can craft a malicious OpenWire message with a specially crafted ExceptionResponse object that references a ClassPathXmlApplicationContext, causing the broker to instantiate the class with an attacker-controlled URL. This allows loading of malicious Spring XML configurations from a remote server, leading to arbitrary code execution.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 10 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Complete system compromise. An unauthenticated attacker can achieve arbitrary remote code execution with the privileges of the ActiveMQ process (typically root or system user in containerized environments). This allows attackers to: steal sensitive data from the message broker, modify or delete messages, install malware and backdoors, pivot to internal networks, disrupt business operations, and establish persistent presence on the system.
Mitigation et contournements
Upgrade Apache ActiveMQ to one of the fixed versions above. Visit https://activemq.apache.org/download and download the patched release. Stop the ActiveMQ service, replace the installation with the patched version, and restart the service. Verify the upgrade with: $ ./activemq --version Les versions suivantes incluent les correctifs nécessaires : ActiveMQ 5.15.16, ActiveMQ 5.16.7, ActiveMQ 5.17.6, ActiveMQ 5.18.3, ActiveMQ 6.0.0 and later.
Comme contournements temporaires : restrict network access to the openwire protocol port (default 61616) using firewall rules. only allow connections from trusted broker instances and client applications.; disable openwire protocol if not required and use alternative protocols (amqp, stomp, mqtt) that may not be vulnerable. this can be done by modifying the broker configuration to remove the openwire transport connector.; implement strict network segmentation and run activemq in a sandboxed environment (containers with minimal privileges). use apparmor, selinux, or seccomp to restrict the activemq process capabilities., et monitor for suspicious openwire protocol traffic, particularly exceptionresponse messages with classpathxmlapplicationcontext references. log all connection attempts and message patterns..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
