Unpacking the Apache ActiveMQ Exploit (CVE-2023–46604)

Recently, there was a critical vulnerability in Apache ActiveMQ, CVE-2023–46604, with a CVSS v3 score of 10 out of 10, which certainly caught the attention of cybersecurity folks (https://research.kudelskisecurity.com/2023/11/03/cve-2023-46604-apache-activemq-rce-vulnerability/).

The vulnerability leads to remote code execution (RCE) by exploiting insecure unmarshalling in the implementation of the Openwire protocol.

Exploit can be found at https://github.com/mouadk/application-security/tree/main/activemq-cve-2023-46604.

Summary

• CVE-2023–46604 (CVSS v3 score 10.0) is essentially an insecure deserialization vulnerability where an attacker exploits certain “gadgets” in the classpath, the Java reflection API, and a flaw in the Openwire protocol (https://activemq.apache.org/wire-protocol) marshaller validation to instantiate any class on the classpath, thereby achieving Remote Code Execution (RCE).
• One exploit available leverages the refreshing of the Spring Application Context.
• The vulnerability is exploitable as long as you don’t implement any Endpoint Detection and Response (EDR) or Runtime Application Self-Protection (RASP) solution. In fact, the creation of a process could be detected by the EDR or RASP itself, as we will explore later. The key difference between EDR and RASP is that RASP comes integrated with the application and does not rely solely on the presence and functionality of…