CVE-2023-46604

Warning

Exploit

EPSS 94.44%
Published 27.10.2023 15:15:14
Last modified 06.03.2025 19:48:51
Source security@apache.org
Teams watchlist Login
Open Login

The Java OpenWire protocol marshaller is vulnerable to Remote Code 
Execution. This vulnerability may allow a remote attacker with network 
access to either a Java-based OpenWire broker or client to run arbitrary
 shell commands by manipulating serialized class types in the OpenWire 
protocol to cause either the client or the broker (respectively) to 
instantiate any class on the classpath.

Users are recommended to upgrade
 both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 
which fixes this issue.

Affected products Warnungen 1 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Activemq Version < 5.15.16

Apache ≫ Activemq Version >= 5.16.0 < 5.16.7

Apache ≫ Activemq Version >= 5.17.0 < 5.17.6

Apache ≫ Activemq Version >= 5.18.0 < 5.18.3

Apache ≫ Activemq Legacy Openwire Module Version < 5.15.16

Apache ≫ Activemq Legacy Openwire Module Version >= 5.16.0 < 5.16.7

Apache ≫ Activemq Legacy Openwire Module Version >= 5.17.0 < 5.17.6

Apache ≫ Activemq Legacy Openwire Module Version >= 5.18.0 < 5.18.3

Debian ≫ Debian Linux Version10.0

Netapp ≫ E-series Santricity Unified Manager Version-

Netapp ≫ E-series Santricity Web Services Proxy Version-

Netapp ≫ Santricity Storage Plugin Version- SwPlatformvcenter

02.11.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache ActiveMQ Deserialization of Untrusted Data Vulnerability

Vulnerability

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions