On October 27, 2023, Apache published a security advisory addressing that a critical remote code execution (RCE) vulnerability has been fixed in the latest updates for Apache ActiveMQ products, CVE-2023-46604. This vulnerability was rated with a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, as it can be exploited remotely by an unauthenticated threat actor in low complexity attacks.
Arctic Wolf has observed several instances of active exploitation of this vulnerability in association with a ransomware campaign delivering the TellYouThePass ransomware variant. We have documented this campaign along with our analysis of the ransomware here.
Given that public Proof-of-Concept (PoC) has been published detailing how this vulnerability can be exploited, and the widespread use of ActiveMQ as a library in many products, this vulnerability makes an attractive target for threat actors to develop further exploits for.
Recommendation
Recommendation #1: Upgrade Independent Installations of ActiveMQ to the Latest Version Where Possible
Arctic Wolf strongly recommends upgrading Apache ActiveMQ to the latest versions.
In instances where third-party software is dependent on an ActiveMQ installation, it is recommended that each individual deployment is carefully reviewed according to the guidelines of the relevant vendors to determine whether updates to ActiveMQ are expected to have an operational impact on that software.
| Product
|
Affected Version
|
Fixed Version
|
| Apache ActiveMQ and Apache ActiveMQ Legacy (OpenWire Module) | 5.18.0 before 5.18.3 | 5.18.3 |
| 5.17.0 before 5.17.6 | 5.17.6 | |
| 5.16.0 before 5.16.7 | 5.16.7 | |
| before 5.15.16 | 5.15.6 |
Please follow your organizations patching and testing guidelines to avoid operational impact.
Recommendation #2: Closely Monitor Software Vendor Patch Advisories Related to CVE-2023-46604
The vulnerability has been patched in the latest version of ActiveMQ. However, the security patch is not necessarily applied automatically to software products that bundle ActiveMQ within their installations. As this is a developing situation, individual vendors will need to update their software to use the latest version of ActiveMQ. Remediating CVE-2023-46604 in third-party software products is only possible by applying the official security updates from vendors as they patch their products.
We strongly recommend monitoring software vendor advisories for security updates that remediate CVE-2023-46604 in your environment and apply the security update promptly.
References
- ActiveMQ Security Advisory: https://activemq.apache.org/security-advisories.data/CVE-2023-46604
- NIST NVD (CVE-2023-46604): https://nvd.nist.gov/vuln/detail/CVE-2023-46604
- HelloKitty Source Code Leak: https://twitter.com/3xp0rtblog/status/1710387356979560800
- CVE-2023-46604 PoC: https://paper.seebug.org/3058/
