[CDP-development] TLP:GREEN - (Vulnerability Alert Notification) - CVE-2023-46604: Apache ActiveMQ Remote Code Execution Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Nov 2 15:52:56 PDT 2023 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-46604: Apache ActiveMQ Remote Code Execution Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On November 2, 2023, CISA added CVE-2023-46604 to the Known Exploited Vulnerabilities Catalog.

The following products are affected:

  *   Apache ActiveMQ 5.18.0 before 5.18.3
  *   Apache ActiveMQ 5.17.0 before 5.17.6
  *   Apache ActiveMQ 5.16.0 before 5.16.7
  *   Apache ActiveMQ before 5.15.16
  *   Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  *   Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  *   Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  *   Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Fixed Versions:

  *   Apache ActiveMQ 5.15.16
  *   Apache ActiveMQ 5.16.7
  *   Apache ActiveMQ 5.17.6
  *   Apache ActiveMQ 5.18.3

Additional information can be found in the links below:

*        https://activemq.apache.org/security-advisories.data/CVE-2023-46604

*        https://issues.apache.org/jira/browse/AMQ-9370

Intelligence: As of November 2, 2023, the vulnerability has been confirmed as being exploited in the wild. The vulnerability has been actively exploited by the HelloKitty ransomware group.

Workarounds: There are no known workarounds at this time.

How it works: Apache ActiveMQ contains a deserialization of untrusted data vulnerability that could allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute code remotely with the same privileges of the ActiveMQ server.

As of November 2, 2023, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
184189<https://www.tenable.com/plugins/nessus/184189>
Apache ActiveMQ < 5.15.16 / 5.16.x < 5.16.7 / 5.17.x < 5.17.6 / 5.18.x < 5.18.3 RCE
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA0DA0.685E4D30]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231102/91d826a6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231102/91d826a6/attachment-0001.png>

More information about the CDP-development mailing list