Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
Summary
| CVE | CVE-2023-46604 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-27 15:15:00 UTC |
| Updated | 2023-11-20 22:15:00 UTC |
| Description | Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. |
Risk And Classification
EPSS: 0.944360000 probability, percentile 0.999870000 (date 2026-04-01)
CISA KEV: Listed on 2023-11-02; due 2023-11-23; ransomware use Known
Problem Types: CWE-502
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | ActiveMQ |
| Name | Apache ActiveMQ Deserialization of Untrusted Data Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; https://nvd.nist.gov/vuln/detail/CVE-2023-46604 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Activemq | All | All | All | All |
| Application | Apache | Activemq Legacy Openwire Module | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack | MISC | www.openwall.com | |
| oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack | www.openwall.com | ||
| CVE-2023-46604 Apache ActiveMQ Vulnerability in NetApp Products | NetApp Product Security | security.netapp.com | ||
| activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt | MISC | activemq.apache.org | |
| lists.debian.org/debian-lts-announce/2023/11/msg00013.html | lists.debian.org | ||
| packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Exec... | packetstormsecurity.com | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 150757 Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)
- 379060 Apache ActiveMQ Remote Code Execution (RCE) Vulnerability
- 379516 IBM Sterling Secure Proxy Multiple Vulnerabilities (7142038)
- 6000335 Debian Security Update for activemq (DLA 3657-1)
- 730963 Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)
- 731042 Atlassian Bamboo Server and Data Center Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)
- 995775 Java (Maven) Security Update for org.apache.activemq:activemq-client (GHSA-crg9-44h2-xw35)