The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Three things are required to exploit this vulnerability:
Severity: Critical
Impacted: 10.7.x and lower
Third Party Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
NOTE: This fix needs to be applied on all Servers and Workstations.
Based on our initial review, Service Virtualization is affected by this vulnerability through activemq-client library.
We have a solution ready for ActiveMQ Vulnerability:
On-prem patch is available at below location
Below are the external images tags.
10.7.0
sv-docker.packages.broadcom.com/sv/portal:10.7.0.73
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.0.49
sv-docker.packages.broadcom.com/sv/lisa:10.7.0.172
sv-docker.packages.broadcom.com/sv/iaam:1.4.2.82
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.6.46
sv-docker.packages.broadcom.com/sv/config-server:0.0.6.23
10.7.2
sv-docker.packages.broadcom.com/sv/portal:10.7.2.313
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.2.348
sv-docker.packages.broadcom.com/sv/lisa:10.7.2.381
sv-docker.packages.broadcom.com/sv/iaam:1.4.5.673
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.8.62
sv-docker.packages.broadcom.com/sv/config-server:0.0.7.30
10.7.2.SP3
sv-docker.packages.broadcom.com/sv/portal:10.7.2.1475
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.2.1707
sv-docker.packages.broadcom.com/sv/lisa:10.7.2.1860
sv-docker.packages.broadcom.com/sv/iaam:2.0.0.2149
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.9.127
sv-docker.packages.broadcom.com/sv/config-server:0.0.7.43