Thousands of Apache ActiveMQ servers at risk of compromise

More than three thousand exposed Apache ActiveMQ servers on the Internet are currently at risk due to a recently disclosed critical remote code execution (RCE) vulnerability. Apache ActiveMQ is a widely used open-source message broker that facilitates communication in enterprise environments. It supports various secure authentication and authorization mechanisms, making it a key component in systems where direct connectivity is not possible.

Vulnerability

The vulnerability in question, designated CVE-2023-46604, is classified as critical and allows attackers to execute arbitrary shell commands by leveraging serialized class types in the OpenWire protocol. This could potentially lead to message interception, workflow disruptions, data theft, and even lateral movement within the network.

Fixes and vulnerable servers

Apache released fixes for this issue on October 27, 2023, with recommended update versions including: 5.15.16 5.16.7 5.17.6 5.18.3 Researchers at the ShadowServer threat monitoring service discovered a total of 7,249 servers accessible with ActiveMQ services. Of these, 3,329 were running a vulnerable version of ActiveMQ, putting them at risk of remote code execution.

Geographical distribution of vulnerable servers

The majority of these vulnerable servers (1,400) are located in China, with the United States hosting 530, Germany 153, and India, the Netherlands, Russia, France and South Korea each having 100 or more exposed. With technical details about the CVE-2023-46604 exploit publicly available, applying security updates becomes a matter of urgency.