Date: 31-10-2023
On 26 October 2023, Apache Foundation issued a patch for a vulnerability in ActiveMQ tracked under CVE-2023-46604 [1]. The vulnerability allows for remote code execution. We urge all recipients to install updates on vulnerable instances of ActiveMQ as soon as possible. Public exploitation code is available for this vulnerability. Northwave observed recent exploitation of this vulnerability leading to ransomware deployment.
Description
Apache ActiveMQ is a Java-based message broker, which is used to let different components of a software system communicate with each other. In the Apache ActiveMQ software, a remote threat actor with network access to the ActiveMQ service is able to abuse this vulnerability. The Apache ActiveMQ server contains a deserialisation error which can be abused to execute code as the service user of ActiveMQ.
Impact
The vulnerability allows for remote code execution as the service user of ActiveMQ [2, 3]. All of this can be done remotely and without authentication. From the vulnerable server, the threat actor can obtain access to the rest of the network. The Northwave CERT has observed misuse of this vulnerability leading to ransomware deployment. Based on this, Northwave assesses the impact to be high.
Risk
We assess the risk of this vulnerability as high, because the code for this exploit is available and exploitation has been observed.
Mitigation
The following versions of Apache ActiveMQ are affected [2]:
- Apache ActiveMQ 5.18.0 before 5.18.3- Apache ActiveMQ 5.17.0 before 5.17.6- Apache ActiveMQ 5.16.0 before 5.16.7- Apache ActiveMQ before 5.15.16- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Apache recommends users to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
What should you do?
We recommend to update Apache ActiveMQ as soon as possible to one of the versions mentioned above. There are hot-patches available for older versions, so an upgrade to a major release is not strictly necessary. Successful exploitation might not be logged. If the server was publicly reachable and vulnerable, we advise to check for signs of compromise and to actively monitor the server. If signs of compromise are detected, or if you are unsure, you can contact Northwave.
What will Northwave do?
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave.nl Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://www.cve.org/CVERecord?id=CVE-2023-46604
[2]: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.