CVE-2023-46604: Apache ActiveMQ is vulnerable to Remote Code Execution (10th Nov 2023)

Preface: While ActiveMQ is a traditional message broker, Apache Kafka is a distributed streaming platform designed to handle high-velocity, high-volume, and fault-tolerant data streams. It was originally developed at LinkedIn and later donated to the Apache Software Foundation.

Background: ActiveMQ is open source, message-oriented middleware (MoM). It was written in Java with a full JMS (Java Message Service) client.  OpenWire is the native protocol that Apache ActiveMQ uses. Message brokers, like ActiveMQ, can filter and process individual events.

Vulnerability details: Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Remedy: Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Official announcement: Please refer to the link for details –

Critical: Red Hat AMQ Broker 7.11.4 release and security update –

Critical: Red Hat AMQ Broker 7.10.5 release and security update –

Critical: security update jboss-amq-6/amq63-openshift container image –

Critical: jboss-amq-6-amq63-openshift-container security update –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.