CVE-2023-46604
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
27/10/2023
Last modified:
06/03/2025
Description
The Java OpenWire protocol marshaller is vulnerable to Remote Code <br />
Execution. This vulnerability may allow a remote attacker with network <br />
access to either a Java-based OpenWire broker or client to run arbitrary<br />
shell commands by manipulating serialized class types in the OpenWire <br />
protocol to cause either the client or the broker (respectively) to <br />
instantiate any class on the classpath.<br />
<br />
Users are recommended to upgrade<br />
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 <br />
which fixes this issue.
Impact
Base Score 3.x
10.00
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* | 5.15.16 (excluding) | |
| cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* | 5.16.0 (including) | 5.16.7 (excluding) |
| cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* | 5.17.0 (including) | 5.17.6 (excluding) |
| cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* | 5.18.0 (including) | 5.18.3 (excluding) |
| cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:* | 5.15.16 (excluding) | |
| cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:* | 5.16.0 (including) | 5.16.7 (excluding) |
| cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:* | 5.17.0 (including) | 5.17.6 (excluding) |
| cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:* | 5.18.0 (including) | 5.18.3 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://seclists.org/fulldisclosure/2024/Apr/18
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20231110-0010/
- https://www.openwall.com/lists/oss-security/2023/10/27/5
- http://seclists.org/fulldisclosure/2024/Apr/18
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20231110-0010/
- https://www.openwall.com/lists/oss-security/2023/10/27/5