The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5798 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5798-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     October 26, 2024                      https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : activemq     CVE ID         : CVE-2023-46604

    Christoper L. Shannon discovered that the implementation of the OpenWire     protocol in Apache ActiveMQ was susceptible to the execution of     arbitrary code.

    For the stable distribution (bookworm), these problems have been fixed in     version 5.17.2+dfsg-2+deb12u1.

    We recommend that you upgrade your activemq packages.

    For the detailed security status of activemq please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/activemq

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3936 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3936-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/               Santiago Ruano Rincn     October 25, 2024                              https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : activemq     Version        : 5.16.1-1+deb11u1     CVE ID         : CVE-2022-41678 CVE-2023-46604     Debian Bug     : 1054909

    Two vulnerabilities were found in Apache ActiveMQ, a Java-based message broker.

    CVE-2022-41678

        Deserialization vulnerability on Jolokia that allows authenticated users to         perform arbitrary code execution.

    CVE-2023-46604

        The Java OpenWire protocol marshaller is vulnerable to arbitrary code         execution. This vulnerability may allow a remote attacker with network         access to run arbitrary shell commands by manipulating serialized class         types in either a Java-based OpenWire broker or client.

    For Debian 11 bullseye, these problems have been fixed in version     5.16.1-1+deb11u1.

    We recommend that you upgrade your activemq packages.

    For the detailed security status of activemq please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/activemq

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6910-1 advisory.

    Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker     could possibly use this issue to terminate the program, resulting in a denial of service. This issue only     affected Ubuntu 16.04 LTS. (CVE-2015-7559)

    Peter Stckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote     attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected     Ubuntu 16.04 LTS. (CVE-2018-11775)

    Jonathan Gallimore and Colm  higeartaigh discovered that Apache ActiveMQ incorrectly handled     authentication in certain functions. A remote attacker could possibly use this issue to perform a person-     in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-13920)

    Gregor Tudan discovered that Apache ActiveMQ incorrectly handled LDAP authentication. A remote attacker     could possibly use this issue to acquire unauthenticated access. This issue only affected Ubuntu 16.04     LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26117)

    It was discovered that Apache ActiveMQ incorrectly handled authentication. A remote attacker could     possibly use this issue to run arbitrary code. (CVE-2022-41678)

    It was discovered that Apache ActiveMQ incorrectly handled deserialization. A remote attacker could     possibly use this issue to run arbitrary shell commands. (CVE-2023-46604)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host contains an Apache ActiveMQ version that is prior to 5.15.16, 5.16.7, 5.17.6, or 5.18.3. It is, therefore, affected by a remote code execution vulnerability. A remote attacker can exploit this and load the malicious XML of their choice from any URL and perform remote code execution.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3657 advisory.

  - Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server     to the jmxrmi entry. It is possible to connect to the registry without authentication and call the     rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the     original, and bound that, he effectively becomes a man in the middle and is able to intercept the     credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. (CVE-2020-13920)

  - The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In     this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions     5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in     no check on the password. (CVE-2021-26117)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache ActiveMQ is vulnerable to remote code execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which address this issue.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
209827	Debian dsa-5798 : activemq - security update	Nessus	Debian Local Security Checks	critical
209676	Debian dla-3936 : activemq - security update	Nessus	Debian Local Security Checks	critical
203693	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache ActiveMQ vulnerabilities (USN-6910-1)	Nessus	Ubuntu Local Security Checks	critical
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
186650	Apache ActiveMQ RCE (CVE-2023-46604)	Nessus	Misc.	critical
186019	Debian DLA-3657-1 : activemq - LTS security update	Nessus	Debian Local Security Checks	critical
184189	Apache ActiveMQ < 5.15.16 / 5.16.x < 5.16.7 / 5.17.x < 5.17.6 / 5.18.x < 5.18.3 RCE	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2023-46604

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical