CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*

History

13 Feb 2025, 18:15

Type Values Removed Values Added
Summary (en) The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. (en) The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

23 Jan 2025, 16:16

Type Values Removed Values Added
References () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List

21 Nov 2024, 08:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 10.0
References () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory
References () https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - Vendor Advisory () https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - Vendor Advisory
References () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory
References () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory
References () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List

27 Jun 2024, 18:30

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*
References () http://seclists.org/fulldisclosure/2024/Apr/18 - () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory
References () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () https://security.netapp.com/advisory/ntap-20231110-0010/ - () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory
References () https://www.openwall.com/lists/oss-security/2023/10/27/5 - () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List
First Time Netapp e-series Santricity Web Services Proxy
Netapp
Netapp santricity Storage Plugin
Debian debian Linux
Debian
Netapp e-series Santricity Unified Manager

11 Apr 2024, 08:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Apr/18 -

28 Nov 2023, 15:15

Type Values Removed Values Added
References
  • {'url': 'http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html', 'name': 'http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html', 'tags': [], 'refsource': ''}
  • () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html -

20 Nov 2023, 22:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html -

Information

Published : 2023-10-27 15:15

Updated : 2025-02-13 18:15


NVD link : CVE-2023-46604

Mitre link : CVE-2023-46604

CVE.ORG link : CVE-2023-46604


JSON object : View

Products Affected

debian

  • debian_linux

netapp

  • santricity_storage_plugin
  • e-series_santricity_unified_manager
  • e-series_santricity_web_services_proxy

apache

  • activemq
  • activemq_legacy_openwire_module
CWE
CWE-502

Deserialization of Untrusted Data