Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2023-46604
Back to All
CVE

CVE-2023-46604

Apache ActiveMQ is vulnerable to Remote Code Execution

Description

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Base CVSS

10

EPSS Score

94.44%

Introduced Version

4.1.1

Fix Available

5.18.3,5.15.16,5.16.7,5.17.6

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.activemq:activemq-openwire-legacy
5.18.2
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+471
-0
Package Name
org.apache.activemq:activemq-client
5.18.2
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+471
-0

References

http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
https://issues.apache.org/jira/browse/AMQ-9370
https://security.netapp.com/advisory/ntap-20231110-0010
https://github.com/apache/activemq/commit/80089f9f476afab7d976f5fc37c5ab4aa0c2139d
https://github.com/apache/activemq/commit/22442b2385b1000312aec3d19e510131d595a5fc
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
https://activemq.apache.org/security-advisories.data/CVE-2023-46604
https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2024/Apr/18
https://github.com/apache/activemq/commit/d0ccdd31544ada83185554c87c7aa141064020f0
https://www.openwall.com/lists/oss-security/2023/10/27/5
https://github.com/apache/activemq/commit/958330df26cf3d5cdb63905dc2c6882e98781d8f
https://github.com/apache/activemq
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
https://github.com/apache/activemq/pull/1098
http://www.openwall.com/lists/oss-security/2023/10/27/5

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01