A critical remote code execution (RCE) vulnerability, identified as CVE-2023-46604, has left over 3,000 internet-exposed Apache ActiveMQ servers at risk. Apache ActiveMQ is a popular open-source message broker that enables communication between clients and servers. It supports Java and various cross-language clients, as well as multiple protocols such as AMQP, MQTT, OpenWire, and STOMP. The platform is commonly used in enterprise environments for system communication without direct connectivity due to its support for secure authentication and authorization mechanisms.
CVE-2023-46604 is a critical severity RCE that allows attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol. The vulnerability affects certain versions of Apache ActiveMQ and the Legacy OpenWire Module, as revealed in Apache's disclosure from October 27, 2023. Fixes for the flaw were released on the same day with the updated versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
Researchers from threat monitoring service ShadowServer uncovered 7,249 servers with accessible ActiveMQ services. Out of these, 3,329 were identified to be running a version of ActiveMQ that is susceptible to CVE-2023-4660, making all these servers vulnerable to remote code execution. A geographical breakdown of the vulnerable servers shows that the majority (1,400) are in China, followed by the United States with 530, and Germany with 153. Other countries like India, the Netherlands, Russia, France, and South Korea each have 100 exposed servers.
The exploitation of CVE-2023-46604 could have severe consequences in enterprise environments where Apache ActiveMQ is used as a message broker. Potential impacts include message interception, workflow disruption, data theft, and even lateral movement within the network. Given that the technical details for exploiting CVE-2023-46604 are publicly accessible, the need to apply the released security updates is urgent.