← Back to CVEs
CVE-2023-46604
CRITICALCISA KEV10.0
Description
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
CVE Details
CVSS v3.1 Score10.0
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published10/27/2023
Last Modified11/4/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorApache
ProductActiveMQ
Vulnerability NameApache ActiveMQ Deserialization of Untrusted Data Vulnerability
KEV Date Added2023-11-02
Remediation Due Date2023-11-23
Ransomware UseKnown
Affected Products
apache:activemqapache:activemq_legacy_openwire_moduledebian:debian_linuxnetapp:e-series_santricity_unified_managernetapp:e-series_santricity_web_services_proxynetapp:santricity_storage_plugin
Weaknesses (CWE)
CWE-502
References
http://seclists.org/fulldisclosure/2024/Apr/18(security@apache.org)
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt(security@apache.org)
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html(security@apache.org)
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html(security@apache.org)
https://security.netapp.com/advisory/ntap-20231110-0010/(security@apache.org)
https://www.openwall.com/lists/oss-security/2023/10/27/5(security@apache.org)
http://seclists.org/fulldisclosure/2024/Apr/18(af854a3a-2127-422b-91ae-364da2661108)
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html(af854a3a-2127-422b-91ae-364da2661108)
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20231110-0010/(af854a3a-2127-422b-91ae-364da2661108)
https://www.openwall.com/lists/oss-security/2023/10/27/5(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.