1. Executive Summary
Updated: October 31, 2023
Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack.
The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
2. Affected Versions
Apache ActiveMQ affected versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Apache ActiveMQ users are recommended to upgrade to fixed versions:
Apache ActiveMQ 5.18.3
Apache ActiveMQ 5.17.6
Apache ActiveMQ 5.16.7
Apache ActiveMQ 5.15.16
HYTE MQ users are recommended to upgrade to fixed versions:
HYTE MQ 5.4.102 (or higher)
HYTE MQ OSS 4.3.7.hyte-4307h
3. Mitigation Technical Details
The recommended approach to resolve this vulnerability is to upgrade to a patched version of ActiveMQ.
Potential Mitigation Options
Please upgrade to a patched version of ActiveMQ. Given that this security vulnerability requires network access to the ActiveMQ server to exploit, HYTE recommends three potential mitigations to assist with protection.
Do not allow ActiveMQ servers to access a public internet connection.
Do not allow public internet to access ActiveMQ service.
Utilize two-way authorized SSL connections.
4. ActiveMQ Upgrade Steps
The advice and commands detailed on this website should be used only as a reference in supporting your own messaging environment. You are solely responsible for determining the appropriateness of using and distributing any HYTE information and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This information is not intended to be used in any situation where a failure could cause risk of injury or damage to property. This is not intended as legal advice and no warranty is provided with this information. Use at your own risk.
Preparation Steps
Download updated version of HYTE MQ (or Apache ActiveMQ)
Download updated verison of Java JDK
Stage files on the server
Upgrade
1) Stop the ActiveMQ server process
Consult with system administrators for proper way to shutdown.
Most Linux servers use systemd (or other service startup manager)
Windows servers usually use Computer Management -> Services and Applications -> Services
Default:
$ cd /opt/activemq/apache-activemq-5.18.2 (replace with correct installation folder)
$ ./bin/activemq stop
2) Extract the new installation
Extract new Java release
$ cd /opt/java $ tar xzvf java-jdk-11.0.20.tar.gz
Extract new ActiveMQ release
$ cd /opt/activemq $ tar zxvf apache-activemq-5.18.3-unix.tar.gz
Note: Use unzip on Windows
3) Copy any config files from the old conf folder
Copy ActiveMQ broker configuration file
$ cp /opt/activemq/apache-activemq-5.18.2/conf/activemq.xml /opt/activmeq/apache-activemq-5.18.3/conf
Copy users, groups and passwords
$ cp /opt/activemq/apache-activemq-5.18.2/conf/users.properties /opt/activmeq/apache-activemq-5.18.3/conf
Optionally, SSL keystore
$ cp /opt/activemq/apache-activemq-5.18.2/conf/keystore.ks /opt/activmeq/apache-activemq-5.18.3/conf
Copy any other custom configuration files over
4. Update bin/env file to point to new Java JDK as JAVA_HOME variable
5. Copy kahadb folder over to recover any messages
$ cp -a /opt/activemq/apache-activemq-5.18.2/data/amq /opt/activemq/apache-activemq-5.18.3/data
6. Start ActiveMQ
Consult with system administrators for proper way to startup.
Most Linux servers use systemd (or other service startup manager)
Windows servers usually use Computer Management -> Services and Applications -> Services
Default:
$ cd /opt/activemq/apache-activemq-5.18.3
$ ./bin/activemq start
7. Log into HYTE Console to confirm the new ActiveMQ server is running and is able to send and browse messages using a test queue
5. Change Log
| Date | Note |
|---|---|
| 2023-11-08 | Updated syntax in section "Extract the new installation" in ActiveMQ Upgrade Steps |
| 2023-11-06 | Added ActiveMQ News Update to References |
| 2023-11-01 | Added Rapid7 analysis to References |
| 2023-11-01 | Added ActiveMQ upgrade approach / steps |
| 2023-10-31 | Initial publication |
6. References
CVE Information:
CVE-2021-42550 | https://www.cve.org/CVERecord?id=CVE-2023-46604
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-46604
CVE-2021-42550 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604
Rapid7 Analysis | https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
General References:
https://activemq.apache.org/news/cve-2023-46604
https://activemq.apache.org/security-advisories.data/CVE-2023-46604
https://issues.apache.org/jira/browse/AMQ-9370
7. Contact HYTE
For technical assistance, please open a support ticket in the HYTE Portal
You are solely responsible for determining the appropriateness of using and distributing any publicly available HYTE information and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This information is not intended to be used in any situation where a failure could cause risk of injury or damage to property. This is not intended as legal advice and no warranty is provided with this information. Use at your own risk.
Questions?
Sometimes a 15-minute conversation with a Messaging Platform Architect can help make it all clear. Schedule a meeting for a quick discussion and/or online demo of our platform and tools.
