This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 89d337fb5 Update to address CVE-2023-46604
89d337fb5 is described below

commit 89d337fb510126520ab0b2945d58b1f882544aac
Author: Justin Bertram <[email protected]>
AuthorDate: Thu Nov 2 23:55:09 2023 -0500

    Update to address CVE-2023-46604
---
 src/_news/CVE-2023-46604.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
new file mode 100644
index 000000000..b176bd41d
--- /dev/null
+++ b/src/_news/CVE-2023-46604.md
@@ -0,0 +1,43 @@
+---
+release_date: 2023-11-3
+title: Update on CVE-2023-46604
+shortDescription:
+title-class: page-title-main
+type: main
+---
+#### Summary
+
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently 
announced and it has caused quite a bit of traffic on the mailing lists and in 
Jira from users curious about its impact on both "Classic" and Artemis. In 
short, **users of both "Classic" and Artemis are recommended to upgrade**. New 
releases for all current branches were made available on the day the CVE was 
announced:
+
+"Classic":
+
+ - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last 
release from this branch)
+ - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last 
release from this branch)
+ - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [5.18.3](https://activemq.apache.org/activemq-5018003-release)
+
+Artemis:
+
+ - [2.31.2](https://activemq.apache.org/components/artemis/download/)
+
+#### CVE Overview
+
+As stated in the [official CVE 
description](https://nvd.nist.gov/vuln/detail/CVE-2023-46604):
+
+> Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability 
may allow a remote attacker with network access to a broker to run arbitrary 
shell commands by manipulating serialized class types in the OpenWire protocol 
to cause the broker to instantiate any class on the classpath.
+
+Three things are required to exploit this vulnerability:
+
+ 1. Network access
+ 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class 
on the classpath with a `String` parameter)
+ 1. A class on the classpath which can execute arbitrary code simply by 
instantiating it with a `String` parameter
+
+#### "Classic" Details
+
+"Classic" ships with a handful of Spring dependencies including, among other 
things, 
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html).
 This class is used to run Spring applications, and it has [a 
constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicatio
 [...]
+
+The only known exploit of this vulnerability uses this 
`ClassPathXmlApplicationContext` to load a malicious XML application 
configuration file from somewhere on the network via HTTP. This malicious XML 
specifically defines the arbitrary code to be run on the machine hosting the 
broker.
+
+#### Artemis Details
+
+Artemis supports the OpenWire protocol and therefore has dependencies from 
"Classic" for this support. These dependencies include the vulnerable code. 
However, Artemis doesn't ship Spring so there is currently no known exploit. 
Regardless, upgrading is still recommended.

Reply via email to