Apache ActiveMQ RCE Vulnerability CVE-2023-46604
A Critical vulnerability that could allow a remote attacker with network access to a broker to run arbitrary shell commands
Summary
A Critical vulnerability that could allow a remote attacker with network access to a broker to run arbitrary shell commands
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Apache has released security update to address a remote code execution (RCE) vulnerability, CVE-2023-46604. This Critical vulnerability has a CVSSv3 base score of 10 and could allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialised class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Exploitation in the wild and proof-of-concept of CVE-2023-46604
This vulnerability is exploited in the wild and a proof-of-concept (PoC) is publicly available.
Threat updates
| Date | Update |
|---|---|
| 10 Nov 2023 |
Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server
Bamboo Data Center and Server have been added as affected platforms. This cyber alert has been updated to reflect these changes. |
Remediation advice
Affected organisations are encouraged to review Apache's security bulletin CVE-2023-46604 and Bamboo Data Center and Server advisory and apply relevant updates.
Definitive source of threat updates
Last edited: 10 November 2023 1:35 pm