CVE-2023-46604 vulnerability for Apache ActiveMQ Deserialization of Untrusted Data Vulnerability and Service Operations Insight 4.2 Cumulative Updates
search cancel

CVE-2023-46604 vulnerability for Apache ActiveMQ Deserialization of Untrusted Data Vulnerability and Service Operations Insight 4.2 Cumulative Updates

book

Article ID: 275698

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath..

Are Service Operations Insight 4.2 cumulative updates affected by this vulnerability?

Environment

Release: SOI 4.2 CU5

Resolution

For Apache ActiveMQ 5.16.x, this vulnerability affects the versions up to 5.16.6.

As of SOI 4.2 CU5, it is bundled with Apache ActiveMQ 5.16.5 which is known to be impacted; please follow the below manual procedure to upgrade Apache ActiveMQ to 5.16.7.

  • Shutdown all the SOI services across distributed environments
  • On the system where CA SOI MQ Server is installed, follow the below steps
    • Go to SOI HOME directory and rename the folder apache-activemq to apache-activemq-5.16.5
    • Download the file apache-activemq.zip and extract the contents to SOI HOME directory. Once the extraction is completed you should be able to see the folder apache-activemq
    • Replace the below files from backup (apache-activemq-5.16.5):
      • apache-activemq\bin\win64\wrapper.conf
      • apache-activemq\conf\activemq.xml
      • apache-activemq\conf\log4j.properties
    • Copy the below files from backup (apache-activemq-5.16.5)
      • apache-activemq\lib\soi.common.message-bus.jar
  • On the system where CA SOI Event Management is installed, follow the below steps
    • Delete the below files
      • <SOI HOME>\EventManagement\lib\activemq-all-5.16.5.jar
    • Copy the file from apache-activemq\activemq-all-5.16.7.jar from CA SOI MQ Server system to this server
      • <SOI HOME>\EventManagement\lib\activemq-all-5.16.7.jar
  • On the system where CA SOI User Interface Server is installed, follow the below steps
    • Delete the below files
      • <SOI HOME>\SamUI\lib\activemq-all-5.16.5.jar
    • Copy the file from apache-activemq\activemq-all-5.16.7.jar from CA SOI MQ Server system to this server
      • <SOI HOME>\SamUI\lib\activemq-all-5.16.7.jar
  • On the system where CA SOI Application Server is installed, follow the below steps
    • Delete the below files
      • <SOI HOME>\tomcat\lib\activemq-all-5.16.5.jar
      • <SOI HOME>\tomcat\webapps\sor.application\WEB-INF\lib\activemq-all-5.16.5.jar
      • <SOI HOME>\Tools\Priming Utility\lib\activemq-all-5.16.5.jar
    • Copy the file from apache-activemq\activemq-all-5.16.7.jar from CA SOI MQ Server system to this server
      • <SOI HOME>\tomcat\lib\activemq-all-5.16.7.jar
      • <SOI HOME>\tomcat\webapps\sor.application\WEB-INF\lib\activemq-all-5.16.7.jar
      • <SOI HOME>\Tools\Priming Utility\lib\activemq-all-5.16.7.jar
  • On the system where CA SOI UCF Broker is installed, follow the below steps
    • Delete the below files
      • <SOI HOME>\ucfbroker\lib\activemq-all-5.16.5.jar
    • Copy the file from apache-activemq\activemq-all-5.16.7.jar from CA SOI MQ Server system to this server
      • <SOI HOME>\ucfbroker\lib\activemq-all-5.16.7.jar
  • On the system where CA SOI Integration Services is installed, follow the below steps
    • Delete the below files
      • <SOI HOME>\lib\ivy\activemq-all-5.16.5.jar
    • Copy the file from apache-activemq\activemq-all-5.16.7.jar from CA SOI MQ Server system to this server
      • <SOI HOME>\lib\ivy\activemq-all-5.16.7.jar

Start all the SOI services across distributed environments