Critical RCE Vulnerability Discovered in Apache ActiveMQ Servers

A critical remote code execution (RCE) vulnerability has been discovered in Apache ActiveMQ, rendering over three thousand internet-exposed servers susceptible to this security threat.

Apache ActiveMQ is a highly scalable open-source message broker that facilitates communication between clients and servers. It supports various cross-language clients and numerous protocols, including AMQP, MQTT, OpenWire, and STOMP. Thanks to its diverse array of secure authentication and authorization mechanisms, it is extensively utilized in enterprise environments where systems need to communicate without direct connectivity.

The identified vulnerability, known as CVE-2023-46604, is rated as critical with a CVSS v3 score of 10.0. This flaw permits attackers to execute arbitrary shell commands by exploiting the serialized class types within the OpenWire protocol.

According to Apache’s disclosure issued on October 27, 2023, the vulnerability impacts the following versions of Apache ActiveMQ and Legacy OpenWire Module:

Versions prior to 5.18.3 in the 5.18.x series
Versions prior to 5.17.6 in the 5.17.x series
Versions prior to 5.16.7 in the 5.16.x series
All versions prior to 5.15.16

To address this vulnerability, fixes were promptly made available on the same day, in the form of new releases: versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3. These updated versions are recommended as the necessary upgrades.

Researchers from the threat monitoring service ShadowServer discovered a total of 7,249 servers with ActiveMQ services accessible. Among these, 3,329 servers were running versions of ActiveMQ vulnerable to CVE-2023-46604, putting them at risk of remote code execution.

The majority of the vulnerable instances (1,400) were located in China, followed by the United States with 530, Germany with 153, and India, the Netherlands, Russia, France, and South Korea, each having 100 exposed servers.

Considering the vital role that Apache ActiveMQ plays as a message broker in enterprise environments, the exploitation of CVE-2023-46604 could lead to message interception, workflow disruption, data theft, and potentially unauthorized lateral movement within the network.

Given that technical details on how to exploit CVE-2023-46604 are publicly available, it is imperative that organizations act swiftly to apply the provided security updates to mitigate this serious security risk.