Fortra’s Alert Logic is actively researching a remote code execution (RCE) vulnerability in Apache ActiveMQ. This vulnerability, CVE-2023-46604, may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Who is affected?
Customers using the following versions of Apache ActiveMQ are affected.
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
What can I do?
Users are recommended to upgrade to one of the following versions in which the issue is fixed.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities in addition to those listed below.
Network IDS: Alert Logic has released IDS telemetry signatures to aid in detection research.
Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.
Vulnerability Scanning: Alert Logic released unauthenticated scan coverage to identify CVE-2023-46604 through banner detection. If the vulnerability is found, an exposure will be raised for CVE-2023-46604.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
11/03/2023: On October 31, Alert Logic release unauthenticated scan detection for this vulnerability.