CVE-2023-46604: 
Java vulnerability analysis and mitigation

CVE-2023-46604 is a critical vulnerability in Apache ActiveMQ's Java OpenWire protocol marshaller that was disclosed on October 27, 2023. The vulnerability affects multiple versions of Apache ActiveMQ and its Legacy OpenWire Module, including versions 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, 5.16.0 before 5.16.7, and versions before 5.15.16. This remote code execution vulnerability allows an attacker with network access to either a Java-based OpenWire broker or client to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol (Apache Advisory, NVD).

The vulnerability stems from the OpenWire protocol marshaller's failure to validate throwable class types during the unmarshalling process. When the marshaller fails to validate the class type of a Throwable class, it can accidentally create and execute instances of any class on the classpath. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature. Three components are required for successful exploitation: network access, a manipulated OpenWire command used to instantiate an arbitrary class with a String parameter, and a class on the classpath which can execute arbitrary code by instantiating it with a String parameter (Rapid7 Blog).

The vulnerability's successful exploitation can lead to remote code execution, allowing attackers to run arbitrary shell commands on affected systems. In observed attacks, threat actors have attempted to deploy ransomware binaries and cryptocurrency miners on target systems. The vulnerability has been exploited to download and infect Linux systems with the Kinsing malware, which can spread across networks and exploit multiple vulnerabilities (Trend Micro).

Users are strongly recommended to upgrade both Java OpenWire brokers and clients to the fixed versions: 5.15.16, 5.16.7, 5.17.6, or 5.18.3. The patch includes validation of throwable class types in the BaseDataStreamMarshall class to prevent arbitrary class instantiation. Organizations should also monitor network traffic for unusual activity and regularly audit configurations as part of a comprehensive cybersecurity strategy (Apache Advisory).

The vulnerability has caused significant concern in the cybersecurity community, leading to increased traffic on mailing lists and in Jira from users inquiring about its impact on both ActiveMQ Classic and ActiveMQ Artemis clients and brokers. Multiple security vendors and researchers have published detailed analyses and detection methods. The vulnerability was also added to CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply mitigations (ActiveMQ News).