1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Apache ActiveMQ Deserialization of Untrusted Data Vulnerability

Known Exploited Vulnerabilities CVE-2023-46604 Mappings

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability secondary_impact T1053.005 Scheduled Task
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability primary_impact T1059.004 Unix Shell
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html