In 2023, we witnessed numerous security vulnerabilities making headlines, with a few recent examples being CitrixBleed and libwebp. However, another vulnerability demands immediate attention, despite not receiving the level of recognition it truly deserves in the media. Apache ActiveMQ vulnerability, known as CVE-2023-46604, is a remote code execution (RCE) flaw rated at a critical 10.0 on the CVSS v3 scale. CVE-2023-46604 has been identified in over 3,000 publicly accessible Apache ActiveMQ servers. We must address this issue promptly, as it poses a significant threat to organizations worldwide.

A Prime Target

Apache ActiveMQ, known for its scalability, is an open source message broker that supports Java and various cross-language clients, along with multiple protocols like AMQP, MQTT, OpenWire and STOMP. It’s widely used in enterprise environments for system communication without direct connectivity, thanks to its range of secure authentication and authorization mechanisms. However, its widespread use also makes it a prime target for malicious actors seeking to exploit vulnerabilities such as CVE-2023-46604.

This vulnerability enables attackers to execute arbitrary shell commands by exploiting serialized class types within the OpenWire protocol. It has already been the target of attacks, with SparkRAT malware being delivered to ActiveMQ servers, as reported by researchers as early as October 10. Alarmingly, even after Apache issued a patch on October 25, more than 4,770 Apache ActiveMQ servers remained vulnerable to CVE-2023-46604 exploits, resulting in ransomware attacks.

Security researchers have identified various threat groups, including Andariel, a subgroup of Lazarus, exploiting CVE-2023-46604 to deploy backdoors and malware such as NukeSped and TigerRat. Multiple reports have highlighted the active exploitation of this vulnerability by malicious actors, including the Kinsing botnet operators and ransomware gangs like HelloKitty and TellYouThePass.

Persistent Threat

Despite the availability of patches for CVE-2023-46604 for over a month, the threat continues to persist, with attackers spreading malware on vulnerable servers. There are multiple reasons why organizations delay patching, but the top reason, according to our survey, is the fear of downtime. However, given that Apache ActiveMQ serves as a crucial messaging broker in enterprise environments, the risk of delaying the patch is greater than that posed by the downtime. Since vulnerable ActiveMQ serves as a gateway for APT groups to infiltrate corporate infrastructures, the attacks are likely to continue in 2024.

According to Apache’s advisory issued on October 27, the vulnerability impacts Apache Active MQ and Legacy OpenWire Module versions 5.18.x through 5.18.3, 5.17.x through 5.17.6, 5.16.x through 5.16.7, and all versions back to 5.15.16. While the process of patching is not as straightforward as a one-button update, it is certainly manageable. Apache Active MQ provides a comprehensive update procedure and an upgrade tool. Alternatively, organizations can opt for a fresh installation with an import of the existing configuration.

In conclusion, organizations should prioritize the mitigation of CVE-2023-46604.