ActiveMQ Upgrade Steps

Apache ActiveMQ Vulnerability

 

CVE-2023-46604

Google Translate | Be aware that Google Translate may change command syntax, as well

1. Executive Summary

 

Updated: October 31, 2023

 

Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack.

 

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

2. Affected Versions

 

Apache ActiveMQ affected versions:

 

Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

 

Apache ActiveMQ users are recommended to upgrade to fixed versions:

 

Apache ActiveMQ 5.18.3
Apache ActiveMQ 5.17.6
Apache ActiveMQ 5.16.7
Apache ActiveMQ 5.15.16

 

HYTE MQ users are recommended to upgrade to fixed versions:

 

HYTE MQ 5.4.102 (or higher)
HYTE MQ OSS 4.3.7.hyte-4307h

3. Mitigation Technical Details

 

The recommended approach to resolve this vulnerability is to upgrade to a patched version of ActiveMQ.

 

Potential Mitigation Options

 

Please upgrade to a patched version of ActiveMQ. Given that this security vulnerability requires network access to the ActiveMQ server to exploit, HYTE recommends three potential mitigations to assist with protection.

 

- Do not allow ActiveMQ servers to access a public internet connection.
- Do not allow public internet to access ActiveMQ service.
- Utilize two-way authorized SSL connections.

4. ActiveMQ Upgrade Steps

 

The advice and commands detailed on this website should be used only as a reference in supporting your own messaging environment. You are solely responsible for determining the appropriateness of using and distributing any HYTE information and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This information is not intended to be used in any situation where a failure could cause risk of injury or damage to property. This is not intended as legal advice and no warranty is provided with this information. Use at your own risk.

Preparation Steps

 

1. Download updated version of HYTE MQ (or Apache ActiveMQ)
2. Download updated verison of Java JDK
3. Stage files on the server

 

Upgrade

 

1. Stop the ActiveMQ server process

 

Consult with system administrators for proper way to shutdown.
Most Linux servers use systemd (or other service startup manager)
Windows servers usually use Computer Management -> Services and Applications -> Services

 

Default:
$ cd /opt/activemq/apache-activemq-5.18.2 (replace with correct installation folder)
$ ./bin/activemq stop

 

2. Extract the new installation

 

Extract new Java release
$ cd /opt/java $ tar xzvf java-jdk-11.0.20.tar.gz

 

Extract new ActiveMQ release
$ cd /opt/activemq $ tar zxvf apache-activemq-5.18.3-unix.tar.gz
Note: Use unzip on Windows

 

3. Copy any config files from the old conf folder

 

Copy ActiveMQ broker configuration file
$ cp /opt/activemq/apache-activemq-5.18.2/conf/activemq.xml /opt/activmeq/apache-activemq-5.18.3/conf

 

Copy users, groups and passwords
$ cp /opt/activemq/apache-activemq-5.18.2/conf/users.properties /opt/activmeq/apache-activemq-5.18.3/conf

 

Optionally, SSL keystore
$ cp /opt/activemq/apache-activemq-5.18.2/conf/keystore.ks /opt/activmeq/apache-activemq-5.18.3/conf
Copy any other custom configuration files over

 

4. Update bin/env file to point to new Java JDK as JAVA_HOME variable

 

5. Copy kahadb folder over to recover any messages

 

$ cp -a /opt/activemq/apache-activemq-5.18.2/data/amq /opt/activemq/apache-activemq-5.18.3/data

 

6. Start ActiveMQ

 

Consult with system administrators for proper way to startup.
Most Linux servers use systemd (or other service startup manager)
Windows servers usually use Computer Management -> Services and Applications -> Services

 

Default:
$ cd /opt/activemq/apache-activemq-5.18.3
$ ./bin/activemq start

 

7. Log into HYTE Console to confirm the new ActiveMQ server is running and is able to send and browse messages using a test queue

5. Change Log

 

Table 1. Changes

 

Date Note
2023-11-08 Updated syntax in section "Extract the new installation" in ActiveMQ Upgrade Steps
2023-11-06 Added ActiveMQ News Update to References
2023-11-01 Added Rapid7 analysis to References
2023-11-01 Added ActiveMQ upgrade approach / steps
2023-10-31 Initial publication

6. References

 

CVE Information:

 

CVE-2021-42550 | https://www.cve.org/CVERecord?id=CVE-2023-46604
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-46604
CVE-2021-42550 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604
Rapid7 Analysis | https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

 

General References:

 

https://activemq.apache.org/news/cve-2023-46604
https://activemq.apache.org/security-advisories.data/CVE-2023-46604
https://issues.apache.org/jira/browse/AMQ-9370
https://activemq.apache.org/security
https://activemq.apache.org/

7. Contact HYTE

 

For technical assistance, please open a support ticket in the HYTE Portal

 

You are solely responsible for determining the appropriateness of using and distributing any publicly available HYTE information and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This information is not intended to be used in any situation where a failure could cause risk of injury or damage to property. This is not intended as legal advice and no warranty is provided with this information. Use at your own risk.

 

When using Google Translate, please note that commands may need to be executed with English syntax depending on your system configuration.
Check out our new YouTube channel, The Uplink, if you are interested in the latest discussions regarding messaging, streaming, middleware, integration and all technologies that surround those topics in the Enterprise.