Other official information and services: www.belgium.be

Warning: NEW RCE VULNERABILITY AFFECTING APACHE ACTIVEMQ, CVE-2023-46604 IS ACTIVELY EXPLOITED, Patch Immediately!

Referentie:

Advisory #2023-132

Versie:

1.0

Geïmpacteerde software:

Apache ActiveMQ 5.18.0 before 5.18.3

Apache ActiveMQ 5.17.0 before 5.17.6

Apache ActiveMQ 5.16.0 before 5.16.7

Apache ActiveMQ before 5.15.16

Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3

Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6

Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7

Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Type:

Remote Code Execution

CVE/CVSS:

CVE-2023-46604: CVSS 10.0(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)

Datum:

07/11/2023

Bronnen

https://nvd.nist.gov/vuln/detail/CVE-2023-46604

Risico’s

CVE-2023-46604 affects Apache ActiveMQ. Successful exploitation leads to Remote Code Execution (RCE).

CVE-2023-46604 has a HIGH Impact on Integrity and Availability. No user interaction is needed to exploit this vulnerability and the attack complexity is low.

CVE-2023-46604 is exploited in the wild by ransomware operators, and a PoC is published on GitHub. Immediate action is needed.

The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may supply safety from future exploitation, it does not remediate historic compromise.

Beschrijving

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. Apache ActiveMQ provides "Enterprise Features" which in this case means fostering the communication from more than one client or server. Communication is managed with features such as computer clustering and ability to use any database as a JMS persistence provider besides virtual memory, cache, and journal persistency.

CVE-2023-46604 may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol tasking the broker to instantiate any class on the classpath.

Aanbevolen acties

The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Referenties

https://cybersecuritynews.com/hellokitty-ransomware-apache-activemq/
https://securityaffairs.com/153454/hacking/apache-activemq-cve-2023-46604-hellokitty-ransomare.html
https://en.wikipedia.org/wiki/Apache_ActiveMQ