Unpacking the Apache ActiveMQ Exploit (CVE-2023–46604)

Recently, there was a critical vulnerability in Apache ActiveMQ, CVE-2023–46604, with a CVSS v3 score of 10 out of 10, which certainly caught the attention of cybersecurity folks (https://research.kudelskisecurity.com/2023/11/03/cve-2023-46604-apache-activemq-rce-vulnerability/).

The vulnerability leads to remote code execution (RCE) by exploiting insecure unmarshalling in the implementation of the Openwire protocol.

Exploit can be found at https://github.com/mouadk/application-security/tree/main/activemq-cve-2023-46604.

Summary

• CVE-2023–46604 (CVSS v3 score 10.0) is essentially an insecure deserialization vulnerability where an attacker exploits certain “gadgets” in the classpath, the Java reflection API, and a flaw in the Openwire protocol (https://activemq.apache.org/wire-protocol) marshaller validation to instantiate any class on the classpath, thereby achieving Remote Code Execution (RCE).
• One exploit available leverages the refreshing of the Spring Application Context.
• The vulnerability is exploitable as long as you don’t implement any Endpoint Detection and Response (EDR) or Runtime Application Self-Protection (RASP) solution. In fact, the creation of a process could be detected by the EDR or RASP itself, as we will explore later. The key difference between EDR and RASP is that RASP comes integrated with the application and does not rely solely on the presence and functionality of EDR or any other external tool that hooks into process creation, system calls, etc.
• Moreover, the attacker must have network access to deliver the malicious payload, and there should be no firewalls or similar mechanisms that could interfere with the delivery process.
• In this article, we will examine how one gadget, ClassPathXmlApplicationContext, could be used, but this does not preclude the use of others.
• The fix (patched in 5.15.16, 5.16.7, 5.17.6, or 5.18.3) includes an additional check to ensure that the deserializer or unmarshaller validates one more condition to prevent the instantiation of a gadget, which would lead to the instantiation of a class found in the classpath. Of course, the attacker doesn’t care about the specific gadget used; the goal is to execute code on the remote server.
• Once the attacker is capable of executing shell commands on the victim’s server, various…