ISN 2023-27: ActiveMQ in UMS HA

First published 3 November 2023

CVSS 3.1: 10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Summary

Apache ActiveMQ is vulnerable to a critical remote code execution vulnerability. This vulnerability affects the High Availability (HA) feature only, used in UMS in the following versions:

• UMS versions <= 12.02.120

Details

Apache ActiveMQ is vulnerable to a critical (10.0) remote code execution vulnerability being tracked with CVE-2023-46604. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Rapid7 has confirmed the public exploit and are investigating the activity of the HelloKitty ransomware group exploiting this vulnerability.

Update Instructions

• UMS 12: We are preparing an emergency release of UMS 12.02.130.
• UMS 6: Upgrade to UMS 12.02.130, available soon.

References

• CVE-2023-46604: https://nvd.nist.gov/vuln/detail/CVE-2023-46604
• Apache advisory: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
• Report from Rapid7 confirming public exploitation attempts and PoC: https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/