T9

T3-24-01-S-N-CL

Apache ActiveMQ (CVE-2023-46604)

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

	OS	IP	Software	Log collection time	Program runtime
Attacker	Ubuntu 22.04.2	172.17.0.1	-	19 sec	30 sec
Victim	(docker) Ubuntu 22.04.2	172.17.0.3	ActiveMQ 5.17.3	19 sec	30 sec

Installing

python3 -m pip install -r requirements.txt

Using

sudo docker load -i T3-24-01-S-N-CL.tar
sudo python3 run.py [-t, --time], [-f, --file]

optional arguments:
-t, --time Specify a time to collect logs, default 10s
-f, --file PoC file path, default path ./poc.py

MITRE ATT&CK Framework

Attack Tactic
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion
Credential	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

Logs

./log/2024_01_T3_{time}.pcap # YYmmdd_HHMMSS

References

[1] NIST [CVE-2023-46604]
[2] Ahnlab ASEC [지속적인 공격 대상이 되고 있는 Apache ActiveMQ 취약점 (CVE-2023-46604)]
[3] Apache [security-advisories.data]

※ Click on the attack name to see a description and scenario for the attack