CVE-2023-46604: Apache ActiveMQ Actively Exploited For RCE


CVE-2023-46604 Intelligence Summary

Enterprise | CVSS 9.8

Apache ActiveMQ is vulnerable to a CVSS 9.8 high-severity remote code execution (RCE) vulnerability tracked as CVE-2023-46604 that leverages deserialization of untrusted data [CWE-502] in the OpenWire protocol. The Apache ActiveMQ message broker can be exploited remotely [T1210] for execution of arbitrary shell commands at the privilege level of the ActiveMQ process [T1068]. CISA added CVE-2023-46604 to its actively exploited catalog on November 2nd, and its exploitation is considered trivial complexity. Attacks leveraging CVE-2023-46604 have included ransomware deployment consistent with the HelloKitty and TellYouThePass ransomware variants and Kinsing cryptomining malware. Greenbone added detection for CVE-2023-46604 to the Enterprise vulnerability feed on November 7th, 2023.

The Apache ActiveMQ broker service uses the OpenWire protocol for language-agnostic communication between software components or systems on port 61616 by default. The exploit occurs by manipulating serialized class types to cause the broker to instantiate any class on the classpath. Serialization (or marshalling) is the process of converting data objects (such as functions, classes, or arrays) into an encoded format for transmission over a network or to be stored for later use. Deserialization (or unmarshalling) is the reverse process whereby the serialized data is reconstructed into the format used by a programming language – in this case The Java programming language.

ActiveMQ is built on the Spring Java Framework. CVE-2023-46604 is exploited by specifying the `ClassPathXmlApplicationContext` class for the type of data to be unmarshalled. The `ClassPathXmlApplicationContext` class will fetch a remote XML file, allowing the attacker to specify their own malicious XML hosted anywhere on the Internet to be imported. The malicious XML file can include system commands to be called via the `java.lang.ProcessBuilder.start` function. Rapid7 has posted the most detailed technical analysis on how CVE-2023-46604 can be exploited for RCE.

Mitigating CVE-2023-46604

Several Proof of concept (PoC) for CVE-2023-46604 [1][2][3] are publically available as well as a Metasploit module which will make the exploitation of an estimated 3,000 vulnerable Apache ActiveMQ servers highly probable and increasing the urgency for remediation.

Several versions of Apache ActiveMQ, ActiveMQ Artemis, and Apache ActiveMQ Legacy OpenWire Module are affected. Users are strongly urged to upgrade affected brokers and clients to fixed versions 5.15.16, 5.16.7, 5.17.6, 5.18.3, or later. Patched versions were released in late October, 2023 and ActiveMQ version 6.0.0 was released on November 17th.

Although there is no alternative workaround for preventing exploitation of CVE-2023-46604 available for ActiveMQ itself, firewall rules may be used to whitelist trusted brokers and clients to prevent access by untrusted IP addresses.

What Is A “Message Broker” Anyway?

Message Brokers (also known as Message Queue broker or “MQ”) are software services that facilitate exchange of messages between different processes on the same system or between different systems. These message queues allow “senders” and “receivers” to operate asynchronously and thus independently and also enable the creation of interconnected software systems across a distributed IT architecture. There are many popular MQs available.