Remote Code Execution Vulnerability in Apache ActiveMQ < 5.18.3 (Deserialization)

Vulnerability Description

Apache ActiveMQ is an open‑source messaging middleware from the Apache Foundation that supports JMS, clustering, Spring Framework, and more.

By default, ActiveMQ opens port 61616 to receive OpenWire protocol messages. Because the handling of abnormal messages involves reflective calls, an attacker can craft malicious serialized message data to load arbitrary classes and achieve remote code execution.

Vulnerability Details

Name: Apache ActiveMQ < 5.18.3 Remote Code Execution Vulnerability

Type: Deserialization

Discovery Date: 2023‑10‑25

Impact Breadth: General

MPS ID: MPS‑bd9c‑7xsh

CVE: –

CNVD: CNVD‑2023‑80853

Affected Components

org.apache.activemq:activemq-client@[5.18.0, 5.18.3)

org.apache.activemq:activemq-openwire-legacy@[5.18.0, 5.18.3)

activemq@[5.18.0, 5.18.3)

org.apache.activemq:activemq-client@(-∞, 5.17.6)

org.apache.activemq:activemq-openwire-legacy@(-∞, 5.17.6)

activemq@(-∞, 5.17.6)

Remediation

Upgrade to 5.15.16, 5.16.7, 5.17.6, 5.18.3, or any later version.

Specifically, upgrade the component org.apache.activemq:activemq-openwire-legacy to version 5.18.3 or newer.

Upgrade the component activemq to version 5.18.3 or newer.

Upgrade the component org.apache.activemq:activemq-client to version 5.17.6 or newer.

Upgrade the component org.apache.activemq:activemq-openwire-legacy to version 5.17.6 or newer.

Upgrade the component activemq to version 5.17.6 or newer.