CISA KEV 정보
| 취약점명 | Apache ActiveMQ Deserialization of Untrusted Data Vulnerability |
|---|---|
| 설명 | Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. |
| 조치사항 | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Known |
| CWE | CWE-502 |
| 등록일 (KEV) | 2023-11-02 |
| 조치 기한 | 2023-11-23 |
| 추가 참고 | https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; https://nvd.nist.gov/vuln/detail/CVE-2023-46604 |
NVD 상세 정보
CVSS v3.1: 10.0 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H설명: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
CWE: CWE-502
참조
- http://seclists.org/fulldisclosure/2024/Apr/18 [Mailing List, Third Party Advisory]
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt [Vendor Advisory]
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html [Mailing List]
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- https://security.netapp.com/advisory/ntap-20231110-0010/ [Third Party Advisory]
- https://www.openwall.com/lists/oss-security/2023/10/27/5 [Mailing List]
- http://seclists.org/fulldisclosure/2024/Apr/18 [Mailing List, Third Party Advisory]
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt [Vendor Advisory]
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html [Mailing List]
- https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html [Mailing List]
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- https://security.netapp.com/advisory/ntap-20231110-0010/ [Third Party Advisory]
- https://www.openwall.com/lists/oss-security/2023/10/27/5 [Mailing List]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604 [Third Party Advisory, US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.