Google Git
Sign in
apache / activemq-website / 89d337fb510126520ab0b2945d58b1f882544aac^! / .
commit89d337fb510126520ab0b2945d58b1f882544aac[log] [tgz]
authorJustin Bertram <jbertram@apache.org>Thu Nov 02 23:55:09 2023 -0500
committerJustin Bertram <jbertram@apache.org>Thu Nov 02 23:55:22 2023 -0500
tree470a230ce4e4d13563ca34fa1f9ca55667e68485
parentf2519b6809c5f35862f2ec3e9db24b7288149dbe [diff]
Update to address CVE-2023-46604

diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
new file mode 100644
index 0000000..b176bd4
--- /dev/null
+++ b/src/_news/CVE-2023-46604.md

@@ -0,0 +1,43 @@
+---
+release_date: 2023-11-3
+title: Update on CVE-2023-46604
+shortDescription:
+title-class: page-title-main
+type: main
+---
+#### Summary
+
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both "Classic" and Artemis. In short, **users of both "Classic" and Artemis are recommended to upgrade**. New releases for all current branches were made available on the day the CVE was announced:
+
+"Classic":
+
+ - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last release from this branch)
+ - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last release from this branch)
+ - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [5.18.3](https://activemq.apache.org/activemq-5018003-release)
+
+Artemis:
+
+ - [2.31.2](https://activemq.apache.org/components/artemis/download/)
+
+#### CVE Overview
+
+As stated in the [official CVE description](https://nvd.nist.gov/vuln/detail/CVE-2023-46604):
+
+> Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
+
+Three things are required to exploit this vulnerability:
+
+ 1. Network access
+ 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class on the classpath with a `String` parameter)
+ 1. A class on the classpath which can execute arbitrary code simply by instantiating it with a `String` parameter
+
+#### "Classic" Details
+
+"Classic" ships with a handful of Spring dependencies including, among other things, [`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html). This class is used to run Spring applications, and it has [a constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html#%3Cinit%3E(java.lang.String)) which takes a `String` which can be an HTTP URL pointing to an XML application configuration file across the network.
+
+The only known exploit of this vulnerability uses this `ClassPathXmlApplicationContext` to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine hosting the broker.
+
+#### Artemis Details
+
+Artemis supports the OpenWire protocol and therefore has dependencies from "Classic" for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.