Overview
Apache ActiveMQ contains a critical remote code execution vulnerability in the OpenWire protocol caused by improper validation of serialized class types. Remote attackers can exploit this vulnerability to execute arbitrary shell commands without authentication, leading to complete system compromise. The vulnerability was disclosed on October 27, 2023. CISA has identified CVE-2023-46604 as being exploited and is known to be used in ransomware campaigns.
Technical details
Apache ActiveMQ is vulnerable to remote code execution through the OpenWire protocol, which is the default wire protocol used for client-to-broker and broker-to-broker communication. The vulnerability exists in the ClassPathXmlApplicationContext class instantiation mechanism, which allows attackers to specify arbitrary Spring XML configuration URLs. An attacker can craft a malicious OpenWire message with a specially crafted ExceptionResponse object that references a ClassPathXmlApplicationContext, causing the broker to instantiate the class with an attacker-controlled URL. This allows loading of malicious Spring XML configurations from a remote server, leading to arbitrary code execution.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
The vulnerability has received a CVSS v3.1 base score of 10 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Complete system compromise. An unauthenticated attacker can achieve arbitrary remote code execution with the privileges of the ActiveMQ process (typically root or system user in containerized environments). This allows attackers to: steal sensitive data from the message broker, modify or delete messages, install malware and backdoors, pivot to internal networks, disrupt business operations, and establish persistent presence on the system.
Mitigation and workarounds
Upgrade Apache ActiveMQ to one of the fixed versions above. Visit https://activemq.apache.org/download and download the patched release. Stop the ActiveMQ service, replace the installation with the patched version, and restart the service. Verify the upgrade with: $ ./activemq --version The following versions include the necessary fixes: ActiveMQ 5.15.16, ActiveMQ 5.16.7, ActiveMQ 5.17.6, ActiveMQ 5.18.3, ActiveMQ 6.0.0 and later.
As temporary workarounds: restrict network access to the openwire protocol port (default 61616) using firewall rules. only allow connections from trusted broker instances and client applications.; disable openwire protocol if not required and use alternative protocols (amqp, stomp, mqtt) that may not be vulnerable. this can be done by modifying the broker configuration to remove the openwire transport connector.; implement strict network segmentation and run activemq in a sandboxed environment (containers with minimal privileges). use apparmor, selinux, or seccomp to restrict the activemq process capabilities., and monitor for suspicious openwire protocol traffic, particularly exceptionresponse messages with classpathxmlapplicationcontext references. log all connection attempts and message patterns..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
