CVE-2023-46604
Publication date 27 October 2023
Last updated 21 August 2024
Ubuntu priority
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Why is this CVE high priority?
Listed in CISA Known Exploited Vulnerabilities Catalog
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| activemq | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 5.16.1-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Fixed 5.15.11-1ubuntu0.1~esm1
|
|
| 18.04 LTS bionic |
Fixed 5.15.8-2~18.04.1~esm1
|
|
| 16.04 LTS xenial |
Fixed 5.13.2+dfsg-2ubuntu0.1~esm1
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6910-1
- Apache ActiveMQ vulnerabilities
- 23 July 2024