November 17, 2023: Popular open source message broker, Apache ActiveMQ, whose basic function is to broker messages between different applications, has identified a critical flaw that is being actively exploited, allowing potentially undetected remote code execution (RCE).
The critical vulnerability, tracked as CVE-2023-46604, was given the max CVSS (Common Vulnerability Scoring System) of 10/10.
Affected versions include:
- 5.18.0 versions before 5.18.3
- 5.17.0 versions before 5.17.6
- 5.16.0 versions before 5.16.7
- All versions prior to 5.15.16
- OpenWire Module 5.18.0 versions before 5.18.3
- OpenWire Module 5.17.0 versions before 5.17.6
- OpenWire Module 5.16.0 versions before 5.16.7
- OpenWire Module 5.8.0 versions before 5.15.16
Unauthenticated threat actors are able to exploit the vulnerability and run arbitrary shell commands to deploy ransomware strains such as HelloKitty. The vulnerability may also allow threat actors to launch attacks as from memory, which could evade detection from endpoint detection and protection.
ApacheActiveMQ noted three things are required to exploit this zero-day vulnerability:
- Network access
- A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
- A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter
The manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so both are vulnerable.
The security flaw was made public on October 27 after a patch for the vulnerability was committed to the source code on October 24, but had already been actively exploited by ransomware groups.
Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. Patching updates as soon as they become available as well as continuous, third party network monitoring are critical to maintaining a strong cyber posture and initiate a successful response to any security impact related to zero day exploits.
SecuLore™ OverWatch provides continuous network monitoring through our patented Paladin technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
Contact SecuLore for more information to get started with a monitoring option to detect malicious traffic attempting to exploit vulnerabilities on your network security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team