Full Report
CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ. This vulnerability may allow a remote attacker with network access to a broker to run arbitrary commands due to an insecure deserialization in the OpenWire protocol.The vulnerability is ...
Analysis Summary
# Vulnerability: Critical RCE in Apache ActiveMQ via Insecure Deserialization (CVE-2023-46604)
## CVE Details
- CVE ID: CVE-2023-46604
- CVSS Score: 9.8 (Critical) - *Inferred from "critical RCE"*
- CWE: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- Products: Apache ActiveMQ
- Versions: Not explicitly listed, but all versions susceptible to insecure deserialization in the OpenWire protocol prior to the patch release.
- Configurations: Any actively running ActiveMQ broker accessible over the network exposing the OpenWire protocol.
## Vulnerability Description
CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability residing in Apache ActiveMQ due to insecure deserialization within its OpenWire protocol implementation. A remote, unauthenticated attacker with network access to the broker can exploit this by manipulating the OpenWire protocol to load malicious XML configuration files remotely, leading to arbitrary command execution on the host system.
## Exploitation
- Status: Exploited in the wild (Used by Mauri Ransomware campaigns)
- Complexity: Low (Requires network access to the broker)
- Attack Vector: Network
## Impact
- Confidentiality: High (Execution of arbitrary commands allows configuration theft, data exfiltration)
- Integrity: High (Arbitrary command execution allows modification or deletion of data and system files)
- Availability: High (Deployment of ransomware, coin miners, and system destruction)
## Remediation
### Patches
- *Vendor specific patch information is not explicitly provided in the context, but users must apply the necessary official Apache ActiveMQ security updates addressing deserialization flaws.*
### Workarounds
- Restrict network access to the ActiveMQ broker endpoints to only trusted IP addresses.
- If possible, disable or strictly limit the OpenWire protocol if other protocols suffice for operations.
## Detection
- Indicators of Compromise:
- Appearance of Mauri ransomware activity (AES-256 CTR encryption, specific ransom notes).
- Execution of tools like FRP (Fast Reverse Proxy) or deployment of Quasar RAT.
- Creation of hidden local user accounts via scripts like `CreateHiddenAccount`.
- Network connections originating from the broker to known C&C servers (e.g., 18[.]139[.]156[.]111 on port 4782).
- Detection methods and tools: Monitor active broker logs for unusual OpenWire protocol usage, unexpected XML configuration loads, or spawned unauthorized processes from the ActiveMQ service account.
## References
- Vendor Advisories: [Search for official ASF Apache ActiveMQ security advisories]
- Relevant links - defanged:
- asec[.]ahnlab[.]com/en/85000/