10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
9.4 High
AI Score
Confidence
High
0.964 High
EPSS
Percentile
99.6%
A flaw was found in Apache ActiveMQ, specifically the OpenWire Module. This flaw may allow a remote malicious user to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath. This issue happens when OpenWire commands are unmarshalled, without validating the provided throwable class type, which could allow an attacker to jeopardize the entire server.
In affected systems, it may be possible to mitigate some of the risks from this vulnerability. However this mitigation cannot eliminate all risks; the only complete resolution is to apply software updates. On systems where the broker is exposed to the public network, use firewall rules to restrict the transport ports and enable SSL to protect this "Transport".
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
9.4 High
AI Score
Confidence
High
0.964 High
EPSS
Percentile
99.6%