资产安全
商业安全
安全服务
返回- 发布日期2023-10-27
- 感知时间2023-10-27
- 漏洞类型安全更新
- 风险等级未知
- 更新版本 5.x
- 情报贡献TSRC
Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
Affected versions:<br/><br/>- Apache ActiveMQ 5.18.0 before 5.18.3<br/>- Apache ActiveMQ 5.17.0 before 5.17.6<br/>- Apache ActiveMQ 5.16.0 before 5.16.7<br/>- Apache ActiveMQ before 5.15.16<br/>- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3<br/>- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6<br/>- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7<br/>- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16<br/><br/>Description:<br/><br/>Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. <br/><br/>Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.<br/><br/>This issue is being tracked as AMQ-9370<br/><br/>References:<br/><br/>https://activemq.apache.org/security-advisories.data/CVE-2023-46604<br/>https://activemq.apache.org/<br/>https://www.cve.org/CVERecord?id=CVE-2023-46604<br/>https://issues.apache.org/jira/browse/AMQ-9370<br/>
Apache ActiveMQ是Apache软件基金会所研发的开放源代码消息中间件;由于ActiveMQ是一个纯Java程序,因此只需要操作系统支持Java虚拟机,ActiveMQ便可执行。
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604">CVE-2023-46604</a></p>
暂无
暂无
http://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
微信扫码关注公众号
