ActiveMQ OpenWire RCE (CVE-2023-46604)
Description
Apache ActiveMQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3 contain a critical remote code execution vulnerability in the OpenWire protocol implementation. The OpenWire broker, which listens on TCP port 61616 by default, fails to properly validate serialized Java class types in incoming messages. This allows unauthenticated remote attackers to send malicious serialized objects that, when deserialized by the broker, can execute arbitrary commands on the server.
Remediation
Take the following steps immediately to remediate this vulnerability:
1. Upgrade ActiveMQ: Update to a patched version as soon as possible:
- For 5.15.x branch: upgrade to 5.15.16 or later
- For 5.16.x branch: upgrade to 5.16.7 or later
- For 5.17.x branch: upgrade to 5.17.6 or later
- For 5.18.x branch: upgrade to 5.18.3 or later
2. Interim Mitigation (if immediate patching is not possible):
- Restrict network access to the OpenWire port (default 61616) using firewall rules to only allow trusted IP addresses
- Disable the OpenWire protocol if not required for your deployment
- Consider placing ActiveMQ behind a VPN or other network segmentation controls
3. Post-Remediation:
- Review system logs for any suspicious activity or indicators of compromise
- Monitor for unexpected DNS queries or outbound network connections
- Verify that only necessary protocols and ports are exposed