Bug 2246645 (CVE-2023-46604)

Summary: CVE-2023-46604 activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: aileenc, ataylor, chazlett, gmalinko, janstey, jross, pdelbell, rgopired, rkieley, vsroka
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: activemq 5.18.3, activemq 5.17.6, activemq 5.15.16, activemq-openwire-legacy 5.18.3, activemq-openwire-legacy 5.17.6, activemq-openwire-legacy 5.16.7, activemq-openwire-legacy 5.15.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache ActiveMQ, specifically the OpenWire Module. This flaw may allow a remote malicious user to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath. This issue happens when OpenWire commands are unmarshalled, without validating the provided throwable class type, which could allow an attacker to jeopardize the entire server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-27 19:53:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2246646    

Description Zack Miele 2023-10-27 19:44:13 UTC 
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Comment 8 errata-xmlrpc 2023-11-09 12:33:29 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2023:6849 https://access.redhat.com/errata/RHSA-2023:6849
Comment 9 errata-xmlrpc 2023-11-09 19:11:10 UTC 
This issue has been addressed in the following products:

  RHEL-7 based Middleware Containers

Via RHSA-2023:6866 https://access.redhat.com/errata/RHSA-2023:6866
Comment 10 errata-xmlrpc 2023-11-09 21:28:15 UTC 
This issue has been addressed in the following products:

  AMQ 6.3 openshift container image

Via RHSA-2023:6877 https://access.redhat.com/errata/RHSA-2023:6877
Comment 12 errata-xmlrpc 2023-11-09 23:26:06 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.10.5

Via RHSA-2023:6878 https://access.redhat.com/errata/RHSA-2023:6878
Comment 13 errata-xmlrpc 2023-11-09 23:26:44 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.11.4

Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879
Comment 14 errata-xmlrpc 2023-11-15 17:08:25 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247
Comment 15 Ram Gopireddy 2023-11-29 19:31:46 UTC 
(In reply to errata-xmlrpc from comment #13)
> This issue has been addressed in the following products:
> 
>   AMQ Broker 7.11.4
> 
> Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879

"Fixed in Version" field states that the issue is resolved in activemq 5.18.3, activemq 5.17.6, activemq 5.15.16, activemq-openwire-legacy 5.18.3, activemq-openwire-legacy 5.17.6, activemq-openwire-legacy 5.16.7, activemq-openwire-legacy 5.15.16

Comment #13 says the issue is resolved in 7.11.4, but the product download still shows 5.11.0 jar files. One of my customers reached out to me asking why the vulnerability is still there if we say it is fixed. 

Please help!