The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
13 Feb 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. |
23 Jan 2025, 16:16
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List |
21 Nov 2024, 08:28
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
References | () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory | |
References | () https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - Vendor Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory | |
References | () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory | |
References | () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List |
27 Jun 2024, 18:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:* |
|
References | () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory | |
References | () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory | |
References | () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List | |
First Time |
Netapp e-series Santricity Web Services Proxy
Netapp Netapp santricity Storage Plugin Debian debian Linux Debian Netapp e-series Santricity Unified Manager |
11 Apr 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Nov 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
20 Nov 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2023-10-27 15:15
Updated : 2025-02-13 18:15
NVD link : CVE-2023-46604
Mitre link : CVE-2023-46604
CVE.ORG link : CVE-2023-46604
JSON object : View
Products Affected
debian
- debian_linux
netapp
- santricity_storage_plugin
- e-series_santricity_unified_manager
- e-series_santricity_web_services_proxy
apache
- activemq
- activemq_legacy_openwire_module
CWE
CWE-502
Deserialization of Untrusted Data