CVE-2023-46604 — CRITICAL (10.0)

Q: How severe is CVE-2023-46604?

CVE-2023-46604 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-46604?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq, Apache Activemq Legacy Openwire Module, Debian Debian Linux, Netapp E-Series Santricity Unified Manager, Netapp E-Series Santricity Web Services Proxy.

Vulnerability Description

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Activemq	< 5.15.16
Apache	Activemq Legacy Openwire Module	< 5.15.16
Debian	Debian Linux	10.0
Netapp	E-Series Santricity Unified Manager	-
Netapp	E-Series Santricity Web Services Proxy	-
Netapp	Santricity Storage Plugin	-

Related Weaknesses (CWE)

CWE-502

References

http://seclists.org/fulldisclosure/2024/Apr/18Mailing ListThird Party Advisory
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcementVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.htmlMailing List
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-RemExploitThird Party AdvisoryVDB Entry
https://security.netapp.com/advisory/ntap-20231110-0010/Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5Mailing List
http://seclists.org/fulldisclosure/2024/Apr/18Mailing ListThird Party Advisory
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcementVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.htmlMailing List
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.htmlMailing List
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-RemExploitThird Party AdvisoryVDB Entry
https://security.netapp.com/advisory/ntap-20231110-0010/Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2023-46604?

CVE-2023-46604 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to r...

How severe is CVE-2023-46604?

CVE-2023-46604 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-46604?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq, Apache Activemq Legacy Openwire Module, Debian Debian Linux, Netapp E-Series Santricity Unified Manager, Netapp E-Series Santricity Web Services Proxy.