Critical vulnerability impacts the Apache ActiveMQ

On October 25, 2023 , Apache made a public announcement of the ActiveMQ Remote Code Execution (RCE) vulnerability, CVE-2023-46604, which holds a high CVSS v3 score of 10 out of 10. This vulnerability is particularly alluring to malicious actors, given its significant impact and straightforward exploitation. Furthermore, readily accessible proof-of-concept exploit code and comprehensive information elevate the urgency of implementing protective measures.

Unveiling the Vulnerability

CVE-2023-46604, with 10.0 CVSS score, allows attackers to utilize specific \”gadgets\” in the classpath, the Java reflection API, and a flaw in the Openwire protocol marshaller validation to create and execute code remotely.

In our case , an attacker establishes a connection to OpenWire port 61616, and possesses the ability to craft a specially designed packet. This packet allows to exploit an ExceptionResponse object instance by providing both an arbitrary class name and a string parameter to the BaseDataStreamMarshaller.createThrowable function. Through this manipulation, the attacker gains the power to execute a command using any class they desire, facilitated by a single string parameter.

Apache ActiveMQ

Apache ActiveMQ is the most popular open source, multi-protocol, Java-based message broker.

It supports industry standard protocols so users get the benefits of client choices across a broad range of languages and platforms. It allows to Integrate multi-platform applications using the AMQP protocol and exchange messages between your web applications using STOMP over websockets.

Affected Systems and/or Application

The following versions of ActiveMQ are affected:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Fixes

If you’re using one of the affected systems listed above , we strongly invite you to upgrade your application to the latest versions (5.15.16, 5.16.7, 5.17.6, and 5.18.3).

Prevention

we should be proactive by implementing runtime solutions like Runtime Application Self-protection **(**RASP) which is integrated within the application itself, can add protective measures against attacks. In this case, RASP could have potentially prevented the problem by monitoring and blocking malicious activity.

It is also important to use Endpoint Detection and Response (EDR) , which can intervene during process creation, it’s better to catch issues earlier.

While RASP and EDR solutions are not foolproof, they can still offer significant protection.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top