CVE-2023-46604
Published: 27 October 2023
Summary
CVE-2023-46604 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Activemq. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2023-46604 affects the Java OpenWire protocol marshaller in Apache ActiveMQ brokers and clients. It stems from unsafe deserialization of class types that permits an attacker to instantiate arbitrary classes present on the classpath, resulting in remote code execution with a CVSS score of 10.0 and classification under CWE-502.
A remote attacker with network access to either an OpenWire broker or client can exploit the flaw by sending crafted serialized payloads over the protocol. Successful exploitation allows execution of arbitrary shell commands on the target system, with the attack surface extending bidirectionally between clients and brokers.
Official advisories from the Apache ActiveMQ project and downstream vendors such as Debian and NetApp direct users to upgrade both brokers and clients to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Additional references include public exploit code and coordinated disclosure notifications that reinforce the same patching guidance.
The associated EPSS score has remained at a high level, with a current value of 0.9444 and a recorded peak of 0.9731, consistent with sustained exploitation interest following public release of proof-of-concept material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2719
Vulnerability details
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in…
more
the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
- CWE(s)
- KEV Date Added
- 02 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unsafe deserialization of attacker-supplied OpenWire class-type objects before instantiation occurs.
Requires prompt application of the vendor-supplied patches (5.15.16/5.16.7/5.17.6/5.18.3) that eliminate the vulnerable marshaller.
Verifies integrity of ActiveMQ binaries and configuration to ensure only patched, untampered code handles OpenWire traffic.