CVE-2023-46604: Critical RCE in Apache ActiveMQ via OpenWire Deserialization
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
FREQUENTLY ASKED
What is CVE-2023-46604 and why does it matter?
CVE-2023-46604 is a critical deserialization of untrusted data vulnerability in Apache ActiveMQ's OpenWire protocol marshaller. With a CVSS score of 10.0, it matters because it allows unauthenticated remote attackers to execute arbitrary shell commands. It is actively being exploited in the wild, often for ransomware deployment, making it a top-tier threat to enterprise messaging infrastructure.
Which versions of Apache ActiveMQ are affected?
Based on the official data, affected versions include 5.18.0, 5.17.0, 5.16.0, and older versions back to 5.8.0. The vulnerability affects both the Java-based OpenWire brokers and clients. Organizations using any legacy versions within these branches should assume they are vulnerable and verify their current deployment version immediately.
Has a patch been released for CVE-2023-46604?
Yes, Apache has released official patches to address this flaw. Users are strongly recommended to upgrade both their brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3. These versions implement strict validation during the OpenWire marshalling process to prevent the instantiation of unauthorized class types that lead to code execution.
What is the remediation deadline for CVE-2023-46604?
The remediation deadline is 2023-11-23. For organizations following federal compliance standards like CISA BOD 22-01, this date represents the mandatory window for patching known exploited vulnerabilities. Failing to meet this deadline significantly increases the risk of successful ransomware infiltration and may result in non-compliance with institutional security mandates.
How can I check if my ActiveMQ instance is affected?
To check if an instance is affected, verify the running version of the ActiveMQ broker and any associated Java-based OpenWire clients. If the version is below the fixed releases (5.15.16, 5.16.7, 5.17.6, or 5.18.3), the instance is vulnerable. Additionally, check for signs of active exploitation, such as unusual shell commands or unauthorized class instantiations in the system logs.
CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ, the world’s most popular open-source message broker. With a maximum CVSS score of 10.0, this vulnerability allows unauthenticated attackers to execute arbitrary shell commands across the network. Given its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog and its verified use by ransomware operators, immediate remediation is mandatory. Organizations must apply patches before the November 23, 2023, deadline to mitigate the risk of total system compromise.
Vulnerability Profile
Field
Details
CVE ID
CVE-2023-46604
Affected Product & Versions
5.18.0, 5.17.0, 5.16.0, 5.8.0
CVSS Score & Severity
10.0 (CRITICAL)
CVSS Version
3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CWE IDs
CWE-502 (Deserialization of Untrusted Data)
Date Disclosed
2023-11-02
Remediation Deadline
2023-11-23
SSVC Exploitation Status
Active
Known Ransomware Use
Yes
EPSS Score & Percentile
0.94436 (100th percentile)
Patch Available
Yes
Technical Deep Dive: Explaining CWE-502 and OpenWire Deserialization
The technical core of CVE-2023-46604 lies in CWE-502: Deserialization of Untrusted Data. In the context of Apache ActiveMQ, the vulnerability resides within the OpenWire protocol marshaller. OpenWire is a high-performance binary protocol used by ActiveMQ to facilitate communication between the message broker and its clients.
Marshalling is the process of transforming complex data structures or objects into a format suitable for transmission over a network. Conversely, unmarshalling (deserialization) occurs when the receiving end converts that transmitted data back into an object in memory. The flaw in CVE-2023-46604 is that the OpenWire unmarshaller does not properly validate the class types being serialized.
An attacker can construct a malicious OpenWire packet that specifies a particular class name to be instantiated. Because the broker (or client) trusts the metadata within the protocol packet, it attempts to instantiate the specified class from the local classpath. If an attacker chooses a class that performs sensitive operations—such as java.lang.ProcessBuilder or other "gadget" classes—they can force the application to execute arbitrary shell commands on the underlying host operating system.
The "blast radius" of this vulnerability is total. Because no authentication is required (PR:N) and the attack complexity is low (AC:L), any ActiveMQ instance exposed to the network on the OpenWire port (typically 61616) is a sitting duck. The high EPSS score of 0.94436 indicates that this is not a theoretical risk; it is a primary target for automated exploitation tools and state-sponsored threat actors.
Who Is Affected: Impacted Versions and Compliance Requirements
This vulnerability impacts a wide range of Apache ActiveMQ deployments, specifically those utilizing the OpenWire protocol. The affected versions include the 5.18.x, 5.17.x, 5.16.x, and legacy 5.x branches (specifically tested down to 5.8.0). Both the Broker (the server) and the Java-based Client are vulnerable. If a broker is compromised, it can be used to attack connected clients; conversely, a malicious client can compromise the central broker.
From a compliance perspective, CVE-2023-46604 has been flagged with a remediation deadline of November 23, 2023. This timeline is critical for organizations following CISA BOD 22-01. Even for those not bound by federal mandates, the "Active" exploitation status and known use by ransomware groups make this a high-priority incident. Threat actors have been observed using this vulnerability to deploy the HelloKitty ransomware and various botnets, leveraging the "Total" technical impact (SSVC: total) to gain persistent access and encrypt enterprise data.
Official Remediation Steps: Patching and Mitigation Guide
The primary and most effective remediation for CVE-2023-46604 is a software upgrade. Apache has released patched versions that implement proper validation of serialized classes within the OpenWire protocol.
Identify Vulnerable Instances: Scan your network for services running on port 61616 and verify the version of the ActiveMQ broker using management consoles or command-line tools (activemq --version).
Update Brokers: Immediately upgrade your ActiveMQ brokers to one of the following fixed versions:
5.15.16
5.16.7
5.17.6
5.18.3
Update Java Clients: Ensure that all Java-based applications acting as ActiveMQ clients are also updated to the patched versions, as the marshalling vulnerability exists on the client side as well.
Reference Official Documentation: Consult the Apache ActiveMQ Security Advisory for specific build instructions if you are running a custom distribution.
Verify the Fix: After patching, use security scanning tools to ensure the OpenWire port no longer responds to unauthorized class instantiation attempts.
Security Best Practices: Strengthening Messaging Infrastructure
Beyond patching CVE-2023-46604, organizations should adopt a defense-in-depth strategy to secure their messaging middleware against future deserialization attacks and protocol-level exploits.
Network Segmentation: Restrict access to the ActiveMQ OpenWire port (default 61616) using firewalls or VPC security groups. Only authorized clients and internal services should be allowed to communicate with the broker.
Implementation of Least Privilege: Run the ActiveMQ service under a dedicated, low-privilege service account. Avoid running the broker as root or Administrator, which limits the damage an attacker can do even if they achieve RCE.
Egress Filtering: Configure strict outbound firewall rules for the servers hosting ActiveMQ. Attackers often use RCE to download second-stage payloads (like Cobalt Strike beacons or ransomware encryptors) from the internet. Blocking unauthorized egress can break the attack chain.
Monitor for Suspicious Child Processes: Use Endpoint Detection and Response (EDR) tools to monitor for unusual processes spawned by the ActiveMQ service (e.g., cmd.exe, /bin/sh, powershell.exe).
Disable Unused Protocols: If your environment does not require OpenWire (e.g., you only use STOMP, MQTT, or AMQP), disable the OpenWire connector in the activemq.xml configuration file to reduce the attack surface.
Regular Patch Management: Integrate ActiveMQ into an automated vulnerability management lifecycle to ensure that future critical updates are applied within the recommended remediation windows.
Enable Logging and Auditing: Maintain detailed logs of connection attempts and protocol errors. Deserialization failures often leave traces in the logs that can serve as early warning signs of scanning or exploitation attempts.