Apache ActiveMQ is a popular open-source message broker and integration platform that supports multiple protocols and languages. It is widely used for enterprise messaging, IoT, and microservices architectures. However, a critical security flaw in Apache ActiveMQ could expose it to remote code execution attacks by malicious actors.
What is the Vulnerability and How Does It Work?
The vulnerability, tracked as CVE-2023-46604, is a remote code execution bug that allows a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
This is one of the more convoluted vulnerability descriptions we have seen, but the root cause of the issue is insecure deserialization. Deserialization is the process of converting a stream of bytes into an object that can be used by a program.
Insecure deserialization occurs when an application accepts untrusted data and deserializes it without proper validation or sanitization. This can lead to various attacks, such as injecting malicious code, executing commands, or escalating privileges.
In the case of CVE-2023-46604, the attacker can craft a malicious OpenWire message that contains a serialized Java object of a class that has a dangerous method or constructor.
When the broker receives the message and deserializes it, it will invoke the method or constructor of the class, which can execute arbitrary commands on the broker’s system.
Trend Micro Research shared a post on Twitter:
Trend Micro researchers have uncovered a threat to #Linux systems — the active exploitation of the Apache #ActiveMQ vulnerability CVE-2023-46604 by the Kinsing (h2crypt) cryptocurrency miner and rootkit.
Read the story: ⬇️ https://t.co/n7T7tIsDrH
— Trend Micro Research (@TrendMicroRSRCH) November 20, 2023
What Are the Impacts and Risks of the Vulnerability?
The vulnerability affects the following versions of Apache ActiveMQ:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
The vulnerability has a maximum CVSS score of 10.0, which means it is a critical severity issue that can result in complete compromise of the broker and the system it runs on.
The attacker does not need any authentication or authorization to exploit the vulnerability, and can potentially access or modify any data or resource on the broker or the system.
The vulnerability was publicly disclosed by Apache on October 25, 2023, and proof-of-concept exploit code and specific vulnerability details are now available to the public. This increases the likelihood of exploitation by malicious actors, who can use the exploit code to launch attacks against vulnerable brokers.
One of the reported exploitation attempts is attributed to the HelloKitty ransomware family, whose source code was leaked on a forum in early October 2023.
The HelloKitty ransomware is known for targeting high-profile organizations, such as CD Projekt Red, the developer of Cyberpunk 2077. The ransomware encrypts the victim’s files and demands a ransom for their decryption. It also threatens to leak the victim’s data if the ransom is not paid.
Take a look at some additional recently published content from us:
- How to Enable Copilot, the New AI Assistant for Windows 10?
- Apple to Adopt RCS Messaging Standard for Better Interoperability With Android Devices
How to Detect and Prevent Vulnerability Exploitation?
To detect vulnerability exploitation, it is recommended to monitor the broker’s logs and network traffic for any suspicious or anomalous activity, such as:
- Unexpected or unauthorized connections to the broker using the OpenWire protocol
- Unexpected or unauthorized commands or processes executed on the broker’s system
- Unexpected or unauthorized files or directories created, modified, or deleted on the broker’s system
- Unexpected or unauthorized encryption or decryption of files on the broker’s system
To prevent vulnerability exploitation, it is strongly advised to update the broker to the latest version of Apache ActiveMQ or the Legacy OpenWire Module, as they contain the patches for the vulnerability. The latest versions are:
- Apache ActiveMQ 5.18.3
- Apache ActiveMQ 5.17.6
- Apache ActiveMQ 5.16.7
- Apache ActiveMQ 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.15.16
If updating the broker is not possible or feasible, it is recommended to apply the following mitigations:
- Disable the OpenWire protocol if it is not used or needed
- Restrict the network access to the broker using firewalls or other security controls
- Enable the broker’s security features, such as authentication, authorization, encryption, and auditing
- Implement the broker’s best practices, such as using separate instances for different applications, isolating the broker from other systems, and backing up the broker’s data
CVE-2023-46604 is a critical security flaw in Apache ActiveMQ that can enable remote code execution attacks by malicious actors. The vulnerability has been publicly disclosed and exploited and poses a serious threat to the broker and the system it runs on.
It is imperative to update the broker to the latest version or apply the mitigations to prevent vulnerability exploitation. It is also important to monitor the broker’s activity and report any suspicious or anomalous behaviour.