Bug 2246645 (CVE-2023-46604) - CVE-2023-46604 activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
Summary: CVE-2023-46604 activemq-openwire: OpenWire Module: Unbounded deserialization ...
Keywords:
Status: NEW
Alias: CVE-2023-46604
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2246646
TreeView+ depends on / blocked
 
Reported: 2023-10-27 19:44 UTC by Zack Miele
Modified: 2023-11-29 19:31 UTC (History)
11 users (show)

Fixed In Version: activemq 5.18.3, activemq 5.17.6, activemq 5.15.16, activemq-openwire-legacy 5.18.3, activemq-openwire-legacy 5.17.6, activemq-openwire-legacy 5.16.7, activemq-openwire-legacy 5.15.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache ActiveMQ, specifically the OpenWire Module. This flaw may allow a remote malicious user to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath. This issue happens when OpenWire commands are unmarshalled, without validating the provided throwable class type, which could allow an attacker to jeopardize the entire server.
Clone Of:
Environment:
Last Closed: 2023-10-27 19:53:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6849 0 None None None 2023-11-09 12:33:31 UTC
Red Hat Product Errata RHSA-2023:6866 0 None None None 2023-11-09 19:11:11 UTC
Red Hat Product Errata RHSA-2023:6877 0 None None None 2023-11-09 21:28:16 UTC
Red Hat Product Errata RHSA-2023:6878 0 None None None 2023-11-09 23:26:08 UTC
Red Hat Product Errata RHSA-2023:6879 0 None None None 2023-11-09 23:26:45 UTC
Red Hat Product Errata RHSA-2023:7247 0 None None None 2023-11-15 17:08:26 UTC

Description Zack Miele 2023-10-27 19:44:13 UTC
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Comment 8 errata-xmlrpc 2023-11-09 12:33:29 UTC
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2023:6849 https://access.redhat.com/errata/RHSA-2023:6849

Comment 9 errata-xmlrpc 2023-11-09 19:11:10 UTC
This issue has been addressed in the following products:

  RHEL-7 based Middleware Containers

Via RHSA-2023:6866 https://access.redhat.com/errata/RHSA-2023:6866

Comment 10 errata-xmlrpc 2023-11-09 21:28:15 UTC
This issue has been addressed in the following products:

  AMQ 6.3 openshift container image

Via RHSA-2023:6877 https://access.redhat.com/errata/RHSA-2023:6877

Comment 12 errata-xmlrpc 2023-11-09 23:26:06 UTC
This issue has been addressed in the following products:

  AMQ Broker 7.10.5

Via RHSA-2023:6878 https://access.redhat.com/errata/RHSA-2023:6878

Comment 13 errata-xmlrpc 2023-11-09 23:26:44 UTC
This issue has been addressed in the following products:

  AMQ Broker 7.11.4

Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879

Comment 14 errata-xmlrpc 2023-11-15 17:08:25 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247

Comment 15 Ram Gopireddy 2023-11-29 19:31:46 UTC
(In reply to errata-xmlrpc from comment #13)
> This issue has been addressed in the following products:
> 
>   AMQ Broker 7.11.4
> 
> Via RHSA-2023:6879 https://access.redhat.com/errata/RHSA-2023:6879

"Fixed in Version" field states that the issue is resolved in activemq 5.18.3, activemq 5.17.6, activemq 5.15.16, activemq-openwire-legacy 5.18.3, activemq-openwire-legacy 5.17.6, activemq-openwire-legacy 5.16.7, activemq-openwire-legacy 5.15.16

Comment #13 says the issue is resolved in 7.11.4, but the product download still shows 5.11.0 jar files. One of my customers reached out to me asking why the vulnerability is still there if we say it is fixed. 

Please help!


Note You need to log in before you can comment on or make changes to this bug.