This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 89d337fb5 Update to address CVE-2023-46604
89d337fb5 is described below
commit 89d337fb510126520ab0b2945d58b1f882544aac
Author: Justin Bertram <[email protected]>
AuthorDate: Thu Nov 2 23:55:09 2023 -0500
Update to address CVE-2023-46604
---
src/_news/CVE-2023-46604.md | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/src/_news/CVE-2023-46604.md b/src/_news/CVE-2023-46604.md
new file mode 100644
index 000000000..b176bd41d
--- /dev/null
+++ b/src/_news/CVE-2023-46604.md
@@ -0,0 +1,43 @@
+---
+release_date: 2023-11-3
+title: Update on CVE-2023-46604
+shortDescription:
+title-class: page-title-main
+type: main
+---
+#### Summary
+
+[CVE-2023-46604](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) was recently
announced and it has caused quite a bit of traffic on the mailing lists and in
Jira from users curious about its impact on both "Classic" and Artemis. In
short, **users of both "Classic" and Artemis are recommended to upgrade**. New
releases for all current branches were made available on the day the CVE was
announced:
+
+"Classic":
+
+ - [5.15.16](https://activemq.apache.org/activemq-5015016-release) (last
release from this branch)
+ - [5.16.7](https://activemq.apache.org/activemq-5016007-release) (last
release from this branch)
+ - [5.17.6](https://activemq.apache.org/activemq-5017006-release)
+ - [5.18.3](https://activemq.apache.org/activemq-5018003-release)
+
+Artemis:
+
+ - [2.31.2](https://activemq.apache.org/components/artemis/download/)
+
+#### CVE Overview
+
+As stated in the [official CVE
description](https://nvd.nist.gov/vuln/detail/CVE-2023-46604):
+
+> Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability
may allow a remote attacker with network access to a broker to run arbitrary
shell commands by manipulating serialized class types in the OpenWire protocol
to cause the broker to instantiate any class on the classpath.
+
+Three things are required to exploit this vulnerability:
+
+ 1. Network access
+ 1. A manipulated OpenWire "command" (used to instantiate an arbitrary class
on the classpath with a `String` parameter)
+ 1. A class on the classpath which can execute arbitrary code simply by
instantiating it with a `String` parameter
+
+#### "Classic" Details
+
+"Classic" ships with a handful of Spring dependencies including, among other
things,
[`org.springframework.context.support.ClassPathXmlApplicationContext`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicationContext.html).
This class is used to run Spring applications, and it has [a
constructor](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/support/ClassPathXmlApplicatio
[...]
+
+The only known exploit of this vulnerability uses this
`ClassPathXmlApplicationContext` to load a malicious XML application
configuration file from somewhere on the network via HTTP. This malicious XML
specifically defines the arbitrary code to be run on the machine hosting the
broker.
+
+#### Artemis Details
+
+Artemis supports the OpenWire protocol and therefore has dependencies from
"Classic" for this support. These dependencies include the vulnerable code.
However, Artemis doesn't ship Spring so there is currently no known exploit.
Regardless, upgrading is still recommended.