Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcmc5LTQ0aDIteHczNc4AA2vl
Apache ActiveMQ is vulnerable to Remote Code Execution
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Permalink: https://github.com/advisories/GHSA-crg9-44h2-xw35JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcmc5LTQ0aDIteHczNc4AA2vl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 5 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Identifiers: GHSA-crg9-44h2-xw35, CVE-2023-46604
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46604
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604
- https://issues.apache.org/jira/browse/AMQ-9370
- http://www.openwall.com/lists/oss-security/2023/10/27/5
- https://github.com/apache/activemq/pull/1098
- https://github.com/apache/activemq/commit/80089f9f476afab7d976f5fc37c5ab4aa0c2139d
- https://security.netapp.com/advisory/ntap-20231110-0010/
- https://www.openwall.com/lists/oss-security/2023/10/27/5
- http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://github.com/advisories/GHSA-crg9-44h2-xw35
Blast Radius: 38.1
Affected Packages
maven:org.apache.activemq:activemq-openwire-legacy
Dependent packages: 78Dependent repositories: 1,729
Downloads:
Affected Version Ranges: >= 5.18.0, < 5.18.3, >= 5.17.0, < 5.17.6, >= 5.16.0, < 5.16.7, >= 5.8.0, < 5.15.16
Fixed in: 5.18.3, 5.17.6, 5.16.7, 5.15.16
All affected versions: 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.11.3, 5.11.4, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.14.4, 5.14.5, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.15.6, 5.15.7, 5.15.8, 5.15.9, 5.15.10, 5.15.11, 5.15.12, 5.15.13, 5.15.14, 5.15.15, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.16.6, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.17.4, 5.17.5, 5.18.0, 5.18.1, 5.18.2
All unaffected versions: 5.15.16, 5.16.7, 5.17.6, 5.18.3, 5.18.4, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2
maven:org.apache.activemq:activemq-client
Dependent packages: 410Dependent repositories: 6,414
Downloads:
Affected Version Ranges: >= 5.18.0, < 5.18.3, >= 5.17.0, < 5.17.6, >= 5.16.0, < 5.16.7, < 5.15.16
Fixed in: 5.18.3, 5.17.6, 5.16.7, 5.15.16
All affected versions: 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.11.3, 5.11.4, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.14.4, 5.14.5, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.15.6, 5.15.7, 5.15.8, 5.15.9, 5.15.10, 5.15.11, 5.15.12, 5.15.13, 5.15.14, 5.15.15, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.16.6, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.17.4, 5.17.5, 5.18.0, 5.18.1, 5.18.2
All unaffected versions: 5.15.16, 5.16.7, 5.17.6, 5.18.3, 5.18.4, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2