The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2024/Apr/18 | Mailing List Third Party Advisory |
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt | Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html | Mailing List Third Party Advisory |
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
https://security.netapp.com/advisory/ntap-20231110-0010/ | Third Party Advisory |
https://www.openwall.com/lists/oss-security/2023/10/27/5 | Mailing List |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
27 Jun 2024, 18:30
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp e-series Santricity Unified Manager
Debian Debian debian Linux Netapp e-series Santricity Web Services Proxy Netapp Netapp santricity Storage Plugin |
|
CPE | cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:* cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
|
References | () http://seclists.org/fulldisclosure/2024/Apr/18 - Mailing List, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html - Mailing List, Third Party Advisory | |
References | () https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | () https://security.netapp.com/advisory/ntap-20231110-0010/ - Third Party Advisory | |
References | () https://www.openwall.com/lists/oss-security/2023/10/27/5 - Mailing List |
11 Apr 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Nov 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
20 Nov 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-27 15:15
Updated : 2024-06-27 18:30
NVD link : CVE-2023-46604
Mitre link : CVE-2023-46604
CVE.ORG link : CVE-2023-46604
JSON object : View
Products Affected
netapp
- e-series_santricity_web_services_proxy
- santricity_storage_plugin
- e-series_santricity_unified_manager
apache
- activemq_legacy_openwire_module
- activemq
debian
- debian_linux
CWE
CWE-502
Deserialization of Untrusted Data