CVE-2023-46604

Deserialization of Untrusted Data in maven/org.apache.activemq/activemq-jaas

Identifiers

CVE-2023-46604

Package Slug

maven/org.apache.activemq/activemq-jaas

Vulnerability

Deserialization of Untrusted Data

Description

Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Affected Versions

All versions before 5.15.16, all versions starting from 5.16.0 before 5.16.7, all versions starting from 5.17.0 before 5.17.6, all versions starting from 5.18.0 before 5.18.3

Solution

Upgrade to versions 5.15.16, 5.16.7, 5.17.6, 5.18.3 or above.

Last Modified

2023-11-09

source