Update on CVE-2023-46604
CVE-2023-46604 was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. In short:
- Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade.
- Users of any Java-based OpenWire client (e.g. Maven dependency on
activemq-client) are recommended to upgrade (regardless of which broker you’re using).
New releases for all current branches were made available on the day the CVE was announced:
As stated in the official CVE description:
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Three things are required to exploit this vulnerability:
- Network access
- A manipulated OpenWire command (used to instantiate an arbitrary class on the classpath with a
- A class on the classpath which can execute arbitrary code simply by instantiating it with a
The manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so both are vulnerable.
ActiveMQ Classic Details
The ActiveMQ Classic broker ships with a handful of Spring dependencies including
org.springframework.context.support.ClassPathXmlApplicationContext which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has a constructor which takes a
String which can be an HTTP URL pointing to an XML application configuration file across the network.
The only known exploit of this vulnerability uses this
ClassPathXmlApplicationContext to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client).
ActiveMQ Artemis Details
ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies from ActiveMQ Classic for this support. These dependencies include the vulnerable code. However, Artemis doesn’t ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.