Apache ActiveMQ is vulnerable to a critical remote code execution vulnerability. This vulnerability affects the High Availability (HA) feature only, used in UMS in the following versions:
UMS versions <= 12.02.120
Details
Apache ActiveMQ is vulnerable to a critical (10.0) remote code execution vulnerability being tracked with CVE-2023-46604. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Rapid7 has confirmed the public exploit and are investigating the activity of the HelloKitty ransomware group exploiting this vulnerability.
Update Instructions
UMS 12: We are preparing an emergency release of UMS 12.02.130.