CVE-2023-46604 – CVE-2023-46604 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-46604?

CVE-2023-46604 has a CVSS score of 10.0 (CRITICAL). CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire protocol marshaller. It allows remote attackers with network access to a vulnerable Java-based OpenWire broker or client to execute arbitrary shell commands by manipulating serialized class types. This affects users running vulnerable versions of Apache ActiveMQ brokers or clients that use the OpenWire protocol.

📋 TL;DR

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire protocol marshaller. It allows remote attackers with network access to a vulnerable Java-based OpenWire broker or client to execute arbitrary shell commands by manipulating serialized class types. This affects users running vulnerable versions of Apache ActiveMQ brokers or clients that use the OpenWire protocol.

💻 Affected Systems

Products:

Apache ActiveMQ

Versions: Versions before 5.15.16, 5.16.7, 5.17.6, and 5.18.3

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both brokers and clients using the OpenWire protocol; default configurations are vulnerable if the vulnerable version is in use.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or complete control over affected systems, potentially enabling lateral movement across networks.

🟠

Likely Case

Remote code execution allowing attackers to install malware, exfiltrate sensitive data, or disrupt services, often resulting in significant operational and security breaches.

🟢

If Mitigated

Limited impact if systems are patched, isolated, or have strict network controls, but residual risk may exist from unpatched clients or misconfigurations.

🌐 Internet-Facing: HIGH, as the vulnerability can be exploited remotely without authentication, making internet-exposed ActiveMQ instances prime targets for attacks.

🏢 Internal Only: HIGH, because internal attackers or compromised systems could exploit this to gain unauthorized access and escalate privileges within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits are publicly available and easy to use, leading to widespread attacks; no authentication is required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.15.16, 5.16.7, 5.17.6, or 5.18.3

Vendor Advisory: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt

Restart Required: Yes

Instructions:

1. Download the patched version from the Apache ActiveMQ website. 2. Stop the ActiveMQ service. 3. Backup configuration and data. 4. Replace the installation with the new version. 5. Restart the service and verify functionality.

🔧 Temporary Workarounds

Disable OpenWire Protocol

all

Temporarily disable the OpenWire protocol to block exploitation vectors, but this may break client connectivity.

Edit activemq.xml and remove or comment out OpenWire transport connectors, e.g., <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>

Network Segmentation

all

Restrict network access to ActiveMQ instances using firewalls or security groups to limit exposure.

Use iptables on Linux: sudo iptables -A INPUT -p tcp --dport 61616 -j DROP
Or use Windows Firewall: New-NetFirewallRule -DisplayName "Block ActiveMQ Port" -Direction Inbound -LocalPort 61616 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement strict network access controls to isolate ActiveMQ instances from untrusted networks and limit client connections.
Monitor logs and network traffic for exploitation attempts and consider using intrusion detection systems to alert on suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check the ActiveMQ version by accessing the web console at http://<host>:8161/admin or running: java -jar activemq.jar version

Check Version:

java -jar activemq.jar version

Verify Fix Applied:

Verify the version is 5.15.16, 5.16.7, 5.17.6, or 5.18.3 using the same commands and ensure no exploitation attempts are logged.

📡 Detection & Monitoring

Log Indicators:

Unusual Java class loading errors in ActiveMQ logs, unexpected shell command executions, or abnormal network connections to the OpenWire port (default 61616).

Network Indicators:

Suspicious traffic to port 61616 with serialized data patterns, or outbound connections from ActiveMQ to external IPs indicating command and control activity.

SIEM Query:

Example for Splunk: index=activemq sourcetype=activemq_log (ERROR OR WARN) AND "ClassNotFoundException" OR "Remote code execution" | stats count by host

📊 Metadata

CVE ID: CVE-2023-46604

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CWE: CWE-502

Published: October 27, 2023

Last Updated: November 4, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/Apr/18 Mailing List,Third Party Advisory
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html Mailing List
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://security.netapp.com/advisory/ntap-20231110-0010/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5 Mailing List
http://seclists.org/fulldisclosure/2024/Apr/18 Mailing List,Third Party Advisory
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html Mailing List
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://security.netapp.com/advisory/ntap-20231110-0010/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5 Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46604, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Activemq by Apache

Activemq by Apache

Activemq by Apache

Activemq by Apache

Activemq Legacy Openwire Module by Apache

Activemq Legacy Openwire Module by Apache

Activemq Legacy Openwire Module by Apache

Activemq Legacy Openwire Module by Apache

Debian Linux by Debian

Debian Linux by Debian

E Series Santricity Unified Manager by Netapp

E Series Santricity Web Services Proxy by Netapp

Santricity Storage Plugin by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable OpenWire Protocol

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities