You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604):
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to the broker. Unlike HTTP connections, OpenWire connections typically live for a long period of time (rather than the client continually polling a TCP socket to see if new messages are available to be consumed), and the protocol itself works by the transfer of commands, which are serialized Java objects, back and forth between the broker and the client.
The vulnerability in the protocol is serialization vulnerability. An attacker can craft a malicious message, which can cause a Java object of the attacker’s choice to be created when the message is deserialized. This issue is a “pre-auth” issue, so even if you have secured your system to require authentication for OpenWire connections, you are still vulnerable to this issue.
It is strongly recommended that users patch their systems immediately, with one of the released versions: 5.15.16, 5.16.7, 5.17.6, or 5.18.3.
According to BleepingComputer (https://www.bleepingcomputer.com/news/security/3-000-apache-activemq-servers-vulnerable-to-rce-attacks-exposed-online/) and ShadowServer (https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/), there are over 3000 vulnerable ActiveMQ instances exposed to the Internet. In addition to patching, it is also worth considering whether you need to expose the OpenWire port for your clients, or if it can be firewalled.
Upgrading
ActiveMQ is a fairly straightforward unzip and run package. You will need to be sure to copy over any of your configuration files, environment changes, and any custom plugins and additional jar files you are using.
Additionally, make sure you know the clients that are connecting to your broker, and be sure to update the client jars they are using to connect.
