Apache ActiveMQ vulnerability used in ransomware attacks

On the 27 October, the Apache Software Foundation (ASF) announced a very serious vulnerability in Apache ActiveMQ that can be used to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency has now added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by November 11, 2023 in order to protect their devices against active threats.

The catalog is a list of vulnerabilities criminals are actively using, so everyone else should act swiftly to patch or mitigate the problem. In this case the criminals are, or at least include, the HelloKitty ransomware group, also known as FiveHands ransomware. The group was first seen in November 2020 and typically uses the double extortion method of both stealing and encrypting data.

The ASF describes the vulnerability as follows:

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Apache ActiveMQ® is “middleware”, a popular open source, multi-protocol, Java-based message broker. Message brokers like this are often found in enterprise systems where they are used to create reliable communication between different applications and system components. OpenWire is a protocol designed to work with message-oriented middleware. It is the native wire format of ActiveMQ.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE in Apache ActiveMQ is listed as:

CVE-2023-46604 (CVSS3 score 10 out of 10): because OpenWire commands are unmarshalled, by manipulating serialized class types in the OpenWire protocol an attacker could cause the broker to instantiate any class on the classpath. The classpath is a parameter in the Java Virtual Machine or the Java compiler that specifies the location of user-defined classes and packages. This caused a deserialization of untrusted data vulnerability. To fix the issue it was necessary to improve the Openwire marshaller validation test.

To successfully exploit this vulnerability, three things are required:

  • Network access
  • A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
  • A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

A security update to patch the vulnerability was available on October 25, 2023, but as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation. Users are recommended to upgrade Apache ActiveMQ to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Users of both “Classic” and “Artemis” are recommended to upgrade.

A lot of Indicators of Compromise (IOCs) can be found in this FBI report.