The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6910-1 advisory.

    Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker     could possibly use this issue to terminate the program, resulting in a denial of service. This issue only     affected Ubuntu 16.04 LTS. (CVE-2015-7559)

    Peter Stckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote     attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected     Ubuntu 16.04 LTS. (CVE-2018-11775)

    Jonathan Gallimore and Colm  higeartaigh discovered that Apache ActiveMQ incorrectly handled     authentication in certain functions. A remote attacker could possibly use this issue to perform a person-     in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-13920)

    Gregor Tudan discovered that Apache ActiveMQ incorrectly handled LDAP authentication. A remote attacker     could possibly use this issue to acquire unauthenticated access. This issue only affected Ubuntu 16.04     LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26117)

    It was discovered that Apache ActiveMQ incorrectly handled authentication. A remote attacker could     possibly use this issue to run arbitrary code. (CVE-2022-41678)

    It was discovered that Apache ActiveMQ incorrectly handled deserialization. A remote attacker could     possibly use this issue to run arbitrary shell commands. (CVE-2023-46604)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host contains an Apache ActiveMQ version that is prior to 5.15.16, 5.16.7, 5.17.6, or 5.18.3. It is, therefore, affected by a remote code execution vulnerability. A remote attacker can exploit this and load the malicious XML of their choice from any URL and perform remote code execution.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3657 advisory.

  - Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server     to the jmxrmi entry. It is possible to connect to the registry without authentication and call the     rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the     original, and bound that, he effectively becomes a man in the middle and is able to intercept the     credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. (CVE-2020-13920)

  - The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In     this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions     5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in     no check on the password. (CVE-2021-26117)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache ActiveMQ is vulnerable to remote code execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which address this issue.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203693	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache ActiveMQ vulnerabilities (USN-6910-1)	Nessus	Ubuntu Local Security Checks	critical
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
186650	Apache ActiveMQ RCE (CVE-2023-46604)	Nessus	Misc.	critical
186019	Debian DLA-3657-1 : activemq - LTS security update	Nessus	Debian Local Security Checks	critical
184189	Apache ActiveMQ < 5.15.16 / 5.16.x < 5.16.7 / 5.17.x < 5.17.6 / 5.18.x < 5.18.3 RCE	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2023-46604

critical

Tenable Plugins

critical

critical

critical

critical

critical