CVE-2023-46604

Unbounded deserialization causes ActiveMQ to be vulnerable to RCE

Publication Date: 27-10-2023

Apache ActiveMQ Legacy OpenWire Module - Remote Code Execution

HTB - Broker

This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. 

"dataType": "CVE_RECORD",
    "dataVersion": "5.0",
    "cveMetadata": {
        "cveId": "CVE-2023-46604",
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "state": "PUBLISHED",
        "assignerShortName": "apache",
        "dateReserved": "2023-10-24T08:55:31.050Z",
        "datePublished": "2023-10-27T14:59:31.046Z",
        "dateUpdated": "2023-11-28T15:02:28.206Z"
    },
    "containers": {
        "cna": {
            "affected": [
                {
                    "collectionURL": "https://repo.maven.apache.org/maven2",
                    "defaultStatus": "unaffected",
                    "packageName": "org.apache.activemq:activemq-client",
                    "product": "Apache ActiveMQ",
                    "vendor": "Apache Software Foundation",
                    "versions": [
                        {
                            "lessThan": "5.18.3",
                            "status": "affected",
                            "version": "5.18.0",
                            "versionType": "semver"
                        },
                        {
                            "lessThan": "5.17.6",
                            "status": "affected",
                            "version": "5.17.0",
                            "versionType": "semver"
                        },
                        {
                            "lessThan": "5.16.7",
                            "status": "affected",
                            "version": "5.16.0",
                            "versionType": "semver"
                        },
                        {
                            "lessThan": "5.15.16",
                            "status": "affected",
                            "version": "0",
                            "versionType": "semver"
                        }
                    ]
                },
                {

Score: NVD: 9.8 // Apache Foundation: 10

"metrics": [
                {
                    "cvssV3_1": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "HIGH",
                        "baseScore": 10,
                        "baseSeverity": "CRITICAL",
                        "confidentialityImpact": "LOW",
                        "integrityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "scope": "CHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
                        "version": "3.1"
                    },

Resources:

POC:

PreviousCVE-2023-6200NextCVE-2023-42942

Last updated