CVE-2023-46604

2023-10-2715:15:14

Debian Security Bug Tracker

security-tracker.debian.org

115

java

openwire

remote code execution

vulnerability

network access

serialized class types

upgrade

brokers

clients

version 5.15.16

version 5.16.7

version 5.17.6

version 5.18.3

unix

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

9.7 High

AI Score

Confidence

High

0.964 High

EPSS

Percentile

99.6%

JSON

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allactivemq<= 5.17.2+dfsg-2activemq_5.17.2+dfsg-2_all.deb
Debian11allactivemq<= 5.16.1-1activemq_5.16.1-1_all.deb
Debian999allactivemq< 5.17.6+dfsg-1activemq_5.17.6+dfsg-1_all.deb
Debian13allactivemq< 5.17.6+dfsg-1activemq_5.17.6+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	activemq	<= 5.17.2+dfsg-2	activemq_5.17.2+dfsg-2_all.deb
Debian	11	all	activemq	<= 5.16.1-1	activemq_5.16.1-1_all.deb
Debian	999	all	activemq	< 5.17.6+dfsg-1	activemq_5.17.6+dfsg-1_all.deb
Debian	13	all	activemq	< 5.17.6+dfsg-1	activemq_5.17.6+dfsg-1_all.deb