Decorative image for blog on CVE 2023-46604
January 25, 2024

Addressing ActiveMQ CVE 2023-46604: Risks and Mitigation Steps

Web Infrastructure
Security

CVE 2023-46604 is a critical severity vulnerability that can be exploited in Apache ActiveMQ. Since it was disclosed in October 2023, several attacks have been reported. Keep reading to find out how the ActiveMQ vulnerability works, how malicious actors can take advantage of it, and how to avoid an exploit before it's too late. 

Back to top

What Is CVE 2023-46604?

CVE-2023-46604 is a Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8 indicating critical severity, per the National Vulnerability Database. Specifically, the Java OpenWire protocol marshaller is vulnerable to this CVE. It allows a remote attacker with network access to either a Java-based OpenWire broker (such as ActiveMQ) or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

Back to top

Who Does CVE 2023-46604 Impact?

CVE 2023-46604 affects any software that uses the Java-based OpenWire protocol. In particular, both ActiveMQ Classic and ActiveMQ Artemis, and Java-based OpenWire clients, such as the Maven dependency on activemq-client.

This would impact any ActiveMQ Classic version below 5.18.3, 5.17.6, 5.16.7, and 5.15.16, as well as Artemis 2.31.2. In other words, it has been fixed in ActiveMQ 5.18.3, but is vulnerable in 5.18.2, 5.18.1, and 5.18.0, and so on. This vulnerability has already been exploited, so it is imperative that systems are patched immediately.

Back to top

How Does CVE 2023-46604 Work?

The exploit process works in two stages. First, the attacker establishes a connection to ActiveMQ via the OpenWire protocol, usually running on port 61616. Then a carefully crafted OpenWire packet is sent to the system, where the attacker prompts the system to unmarshall a class they control. This triggers the server to load a class configuration file.

The OpenWire protocol request originates from the attacker, but the request to load a remote class configuration file originates from the victim. The only known exploit uses ClassPathXmlApplicationContext to load a malicious XML application configuration file from somewhere on the network with HTTP.

Due to lack of proper validation, the server trusts any class provided by the attacker. A PoC exploit designed by the researchers at VulnCheck also revealed that threat actors can cover their tracks by launching attacks from memory and then deleting incriminating logs to avoid detection from endpoint detection and response (EDR) teams. The longer the breach goes unnoticed, of course, the more damage can be done. 

Back to top

What Are the Consequences of a CVE 2023-46604 Exploit?

Successful exploitation of CVE-2023-46604 can lead to various actions, such as:

  • Stealing sensitive data
  • Installing malware
  • Disrupting server operations
  • Launching further attacks on other systems connected to the broker

As mentioned, this vulnerability has already been exploited by various hacking groups. In late November 2023, The Hacker News reported that a botnet called GoTitan has been exploiting this CVE to launch Distributed Denial of Service (DDoS) attacks via HTTP, TLS, and other protocols. Vulnerable ActiveMQ servers have also been infiltrated with HelloKitty ransomware and malware such as PrCtrl Rat, which is a remote access trojan that can be used to take control of the server and remove or add files.

Need ActiveMQ Support?

OpenLogic provides end-to-end technical support for more than 400 open source technologies, including ActiveMQ. Our support is backed by SLAs and delivered by Enterprise Architects with 15+ years of experience. 

Get ActiveMQ Support 

Back to top

CVE 2023-46604 Mitigation Steps

The most definitive mitigation is upgrading to a patched version of ActiveMQ. The following versions address the vulnerability:

  • 5.15.16
  • 5.16.7
  • 5.17.6
  • 5.18.3

Older versions within each branch (5.15, 5.16, 5.17, and 5.18) are still vulnerable.

Another option could be to disable OpenWire. This will limit attacks, but also restrict functionality. Network access could be restricted to only authorized clients. This would help to reduce the attack surface. Then additional security measures could be implemented, such as firewalls, access controls, and intrusion detection systems.

Back to top

Final Thoughts

The Apache Software Foundation patched CVE 2023-46604 quickly, but many organizations still remain vulnerable. It is recommended that admins upgrade vulnerable ActiveMQ servers to a patched version as soon as possible or take servers offline until it is possible to migrate. 

Additional Resources

Back to top