CVE-2023-46604 was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. In short:
activemq-client
) are recommended to upgrade (regardless of which broker you're using).New releases for all current branches were made available on the day the CVE was announced:
ActiveMQ Classic:
ActiveMQ Artemis:
As stated in the official CVE description:
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Three things are required to exploit this vulnerability:
String
parameter)String
parameterThe manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so both are vulnerable.
The ActiveMQ Classic broker ships with a handful of Spring dependencies including org.springframework.context.support.ClassPathXmlApplicationContext
which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has a constructor which takes a String
which can be an HTTP URL pointing to an XML application configuration file across the network.
The only known exploit of this vulnerability uses this ClassPathXmlApplicationContext
to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client).
ActiveMQ Artemis supports the OpenWire protocol and therefore has dependencies from ActiveMQ Classic for this support. These dependencies include the vulnerable code. However, Artemis doesn't ship Spring so there is currently no known exploit. Regardless, upgrading is still recommended.