10

CVE-2023-46604

Warnung
Medienbericht
Exploit

Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

The Java OpenWire protocol marshaller is vulnerable to Remote Code 
Execution. This vulnerability may allow a remote attacker with network 
access to either a Java-based OpenWire broker or client to run arbitrary
 shell commands by manipulating serialized class types in the OpenWire 
protocol to cause either the client or the broker (respectively) to 
instantiate any class on the classpath.

Users are recommended to upgrade
 both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 
which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheActivemq Version < 5.15.16
ApacheActivemq Version >= 5.16.0 < 5.16.7
ApacheActivemq Version >= 5.17.0 < 5.17.6
ApacheActivemq Version >= 5.18.0 < 5.18.3
ApacheActivemq Legacy Openwire Module Version >= 5.16.0 < 5.16.7
ApacheActivemq Legacy Openwire Module Version >= 5.17.0 < 5.17.6
ApacheActivemq Legacy Openwire Module Version >= 5.18.0 < 5.18.3
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
NetappSantricity Storage Plugin Version- SwPlatformvcenter

02.11.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache ActiveMQ Deserialization of Untrusted Data Vulnerability

Schwachstelle

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.65% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@apache.org 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
21.04.2026 13:32
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.04.2026 11:55
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.04.2026 05:39
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
10.04.2026 15:19
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.04.2026 19:37
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
Mailing List
http://seclists.org/fulldisclosure/2024/Apr/18
Third Party Advisory
Mailing List
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
Vendor Advisory
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
https://security.netapp.com/advisory/ntap-20231110-0010/
Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5
Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604
Third Party Advisory
US Government Resource
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html
Mailing List