ActiveMQ CVE-2023-46604 - Service Virtualization (DevTest)
search cancel

ActiveMQ CVE-2023-46604 - Service Virtualization (DevTest)

book

Article ID: 276196

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

Three things are required to exploit this vulnerability:

  • Network access
  • A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
  • A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter


Severity: Critical

Environment

Impacted: 10.7.x and lower

Cause

Third Party Vulnerability

  https://nvd.nist.gov/vuln/detail/CVE-2023-46604

Resolution

NOTE: This fix needs to be applied on all Servers and Workstations.

 

Based on our initial review, Service Virtualization is affected by this vulnerability through activemq-client library.

We have a solution ready for ActiveMQ Vulnerability:

 

On-prem patch is available at below location

https://ftp.broadcom.com/user/downloads/pub/TDM/SV/DayZeroVulnerabilities/ActiveMQ/CVE-2023-46604/Vulnerability_CVE-2023-46604_%28Apache_ActiveMQ%29_Fix_DevTest_10.7_and_above.zip

 

 

Below are the external images tags.

 

10.7.0
sv-docker.packages.broadcom.com/sv/portal:10.7.0.73
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.0.49
sv-docker.packages.broadcom.com/sv/lisa:10.7.0.172
sv-docker.packages.broadcom.com/sv/iaam:1.4.2.82
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.6.46
sv-docker.packages.broadcom.com/sv/config-server:0.0.6.23


10.7.2
sv-docker.packages.broadcom.com/sv/portal:10.7.2.313
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.2.348
sv-docker.packages.broadcom.com/sv/lisa:10.7.2.381
sv-docker.packages.broadcom.com/sv/iaam:1.4.5.673
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.8.62
sv-docker.packages.broadcom.com/sv/config-server:0.0.7.30


10.7.2.SP3
sv-docker.packages.broadcom.com/sv/portal:10.7.2.1475
sv-docker.packages.broadcom.com/sv/enterprise-dashboard:10.7.2.1707
sv-docker.packages.broadcom.com/sv/lisa:10.7.2.1860
sv-docker.packages.broadcom.com/sv/iaam:2.0.0.2149
sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.9.127
sv-docker.packages.broadcom.com/sv/config-server:0.0.7.43