CVE-2023-46604 - ActiveMQ Service Report
Description
The ActiveMQ Service is a Java-based open source project developed by the Apache Software Foundation. There are currently two (2) versions of ActiveMQ: Classic and Artemis. Apache plan to support only the ActiveMQ Artemis version once Artemis has evolved to include all of the features curently available in the Classic version.
The ActiveMQ project was originally created by its founders from LogicBlaze in 2004, as an open source message broker, hosted by CodeHaus. The code and ActiveMQ trademark were donated to the Apache Software Foundation in 2007, where the founders continued to develop the codebase with the extended Apache community.
The Apache Software Foundation developed ActiveMQ into an open source protocol which functions as an implementation of message-oriented middleware (MOM). Its basic function is to send messages between different applications, but includes additional features like the Simple Text Oriented Message Protocol (STOMP), Java Message Service (JMS), and the OpenWire Protocol.
Message brokers like Apache ActiveMQ are often found in enterprise systems — or any systems that have a complex architecture. The goal of the implementation is to create reliable communication between the various components of the enterprise system.
ActiveMQ Artemis is an open source project for an asynchronous messaging system. It originates from the HornetQ messaging system which was donated to Apache in 2014. It retains compatibility with HornetQ while adding many interesting features. It is high performance, embeddable, clustered and supports multiple protocols. JBoss EAP 7 uses Apache ActiveMQ Artemis as its JMS broker and is configured using the messaging-activemq subsystem.
ActiveMQ Artemis has a plugable protocol architecture. Protocol plugins come in the form of ActiveMQ Artemis protocol modules. Each protocol module can be added to the brokers class path and are loaded by the broker at boot time.
ActiveMQ Artemis ships with 5 protocol modules out of the box. The five (5) modules offer support for the protocols listed below. In addition to the protocols ActiveMQ Artemis support, it also offers support for it's own highly performant native protocol "Core".
ActiveMQ Artemis offer support for the following Protocols.
| No. | Acronym. | Protocol Name. |
|---|---|---|
| 1. | AMQP. | Advance Message Queuing Protocol. |
| 2. | OpenWire. | OpenWire Protocol. |
| 3. | MQTT. | Message Queuing Telemetry Transport Protocol. |
| 4. | STOMP. | Simple Text Oriented Message Protocol |
| 5. | HornetQ | HornetQ Protocol. |
| 6. | Core. | Core Native Protocol |
The Apache ActiveMQ Service listens on port 61616/TCP.
Problem
On the 30th Oct 2023, the Shadowserver Foundation published their Accessible ActiveMQ Service Report in relation to the CVE-2023-46604 vulnerability which the Apache Software Foundation had publicly disclosed on the 25th Oct 2023. The Shadowserver foundation subsequently released a report identifying hosts that are potentially vulnerable to exploitation through the CVE-2023-46604 vulnerability within the jurisdiction.
On the 27th Oct 2023, the Cyber Security Company Rapid7 identified suspected exploitation of the CVE-2023-46604 vulnerability in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organisations. Based on the ransom note and available evidence, the activity was attributed to the HelloKitty ransomware family, whose source code was leaked on a forum in early October 2023. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.
On the 20th Nov 2023, the Cyber Security Company Trend Micro reported the active exploitation of the CVE-2023-46604 vulnerability to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner.
Common Vulnerabilities & Exposures (CVEs)
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
CVE-2023-46604 - ActiveMQ Service - Links to CVE.Mitre.org & Apache Security Advisory.
CVE-2023-46604 was publicly disclosed on: 25th Oct 2023
| No. | CVE Report | Description | CVSSv3 | Advisory |
|---|---|---|---|---|
| 1. | CVE-2023-46604 |
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. | 9.8 | Apache Security Advisory |
Note:
Solution
The Apache Software Foundation reported the following versions of ActiveMQ vulnerable to CVE-2023-46604.
| No. | Versions of ActiveMQ that are Affected. |
|---|---|
| 1. | Apache ActiveMQ 5.18.0 before 5.18.3. |
| 2. | Apache ActiveMQ 5.17.0 before 5.17.6. |
| 3. | Apache ActiveMQ 5.16.0 before 5.16.7. |
| 4. | Apache ActiveMQ before 5.15.16.. |
| 5. | Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3. |
| 6. | Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6. |
| 7. | Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7. |
| 8. | Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16. |
Recommendations.
The Apache Software Foundation recommend to users to upgrade both brokers and clients to the following versions which they report fixes the issue.
| No. | Versions of ActiveMQ which fixes the Issue. |
|---|---|
| 1. | Apache ActiveMQ 5.15.16. |
| 2. | Apache ActiveMQ 5.16.7. |
| 3. | Apache ActiveMQ 5.17.6. |
| 4. | Apache ActiveMQ 5.18.3. |
Additional Information
Shadowserver Foundation - Accessible ActiveMQ Service Report.Apache ActiveMQ - Flexible & Powerful Open Source Multi-Protocol Messaging.
Rapid7 - Suspected Exploitation of Apache ActiveMQ CVE-2023-46604.
The Register - Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims.
Debian LTS Advisory DLA-3657-1 - ActiveMQ Security Update.
CVE-2023-46604 (Apache ActiveMQ) Exploited to infect Systems with Cryptominers and Rootkits.
ActiveMQ Artemis - Apache ActiveMQ Artemis User Manual.