Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: NEW RCE VULNERABILITY AFFECTING APACHE ACTIVEMQ, CVE-2023-46604 IS ACTIVELY EXPLOITED, Patch Immediately!
Image
Published : 07/11/2023
Reference:
Advisory #2023-132
Version:
1.0
Affected software:
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Type:
Remote Code Execution
CVE/CVSS:
CVE-2023-46604: CVSS 10.0(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
Risks
CVE-2023-46604 affects Apache ActiveMQ. Successful exploitation leads to Remote Code Execution (RCE).
CVE-2023-46604 has a HIGH Impact on Integrity and Availability. No user interaction is needed to exploit this vulnerability and the attack complexity is low.
CVE-2023-46604 is exploited in the wild by ransomware operators, and a PoC is published on GitHub. Immediate action is needed.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may supply safety from future exploitation, it does not remediate historic compromise.
Description
Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. Apache ActiveMQ provides "Enterprise Features" which in this case means fostering the communication from more than one client or server. Communication is managed with features such as computer clustering and ability to use any database as a JMS persistence provider besides virtual memory, cache, and journal persistency. CVE-2023-46604 may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol tasking the broker to instantiate any class on the classpath.Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
References
https://cybersecuritynews.com/hellokitty-ransomware-apache-activemq/
https://securityaffairs.com/153454/hacking/apache-activemq-cve-2023-46604-hellokitty-ransomare.html
https://en.wikipedia.org/wiki/Apache_ActiveMQ