CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

Q: What is CVE-2023-46604?

CVE-2023-46604 is a vulnerability in Apache ActiveMQ that allows remote code execution.

Q: How severe is CVE-2023-46604?

CVE-2023-46604 has a severity rating of 10, which is considered critical.

Q: Which software versions are affected by CVE-2023-46604?

The affected software versions are: 5.18.0 to 5.18.3, 5.17.0 to 5.17.6, 5.16.0 to 5.16.7, and 5.8.0 to 5.15.16.

Q: How can I fix CVE-2023-46604?

To fix CVE-2023-46604, upgrade Apache ActiveMQ to version 5.18.3, 5.17.6, 5.16.7, or 5.15.16.

Q: Where can I find more information about CVE-2023-46604?

More information about CVE-2023-46604 can be found in the references provided: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt, http://www.openwall.com/lists/oss-security/2023/10/27/5, and https://nvd.nist.gov/vuln/detail/CVE-2023-46604.

Published Oct 27, 2023

Updated

Apache ActiveMQ and ActiveMQ Legacy OpenWire Module could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the class types in the OpenWire protocol. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Other sources

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

— CISA

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

— Red Hat

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

— NVD

Affected Software

32 affected componentsFixes available

maven/org.apache.activemq:activemq-openwire-legacy>=5.18.0<5.18.3

5.18.3

maven/org.apache.activemq:activemq-openwire-legacy>=5.17.0<5.17.6

5.17.6

maven/org.apache.activemq:activemq-openwire-legacy>=5.16.0<5.16.7

5.16.7

maven/org.apache.activemq:activemq-openwire-legacy>=5.8.0<5.15.16

5.15.16

maven/org.apache.activemq:activemq-client>=5.18.0<5.18.3

5.18.3

maven/org.apache.activemq:activemq-client>=5.17.0<5.17.6

5.17.6

maven/org.apache.activemq:activemq-client>=5.16.0<5.16.7

5.16.7

maven/org.apache.activemq:activemq-client<5.15.16

5.15.16

debian/activemq<=5.16.1-1

5.16.1-1+deb11u15.17.2+dfsg-2+deb12u15.17.6+dfsg-1

Apache ActiveMQ

IBM Secure Proxy<=6.0.3

IBM Secure Proxy<=6.1.0

redhat/activemq<5.18.3

5.18.3

redhat/activemq<5.17.6

5.17.6

redhat/activemq<5.15.16

5.15.16

redhat/activemq-openwire-legacy<5.18.3

5.18.3

redhat/activemq-openwire-legacy<5.17.6

5.17.6

redhat/activemq-openwire-legacy<5.16.7

5.16.7

redhat/activemq-openwire-legacy<5.15.16

5.15.16

Apache ActiveMQ<5.15.16

Apache ActiveMQ>=5.16.0<5.16.7

Apache ActiveMQ>=5.17.0<5.17.6

Apache ActiveMQ>=5.18.0<5.18.3

Apache ActiveMQ Legacy OpenWire Module<5.15.16

Apache ActiveMQ Legacy OpenWire Module>=5.16.0<5.16.7

Apache ActiveMQ Legacy OpenWire Module>=5.17.0<5.17.6

Apache ActiveMQ Legacy OpenWire Module>=5.18.0<5.18.3

Debian Debian Linux=10.0

NetApp E-series Santricity Unified Manager

NetApp E-series Santricity Web Services Proxy

NetApp Santricity Storage Plugin Vcenter

Debian Debian Linux=11.0

Remediation

Information

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Event History

Oct 27, 2023

CVE Published

via MITRE·02:59 PM

Data Sourced

via MITRE·02:59 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·03:15 PM

DescriptionSeverityWeaknessAffected Software

Advisory Published

via GitHub·03:30 PM

Data Sourced

via Red Hat·07:44 PM

DescriptionSeverityAffected Software

Nov 2, 2023

Known Exploited

via CISA·12:00 AM

Known Ransomware

via CISA·12:00 AM

Nov 20, 2023

News Published

04:54 PM

Nov 21, 2023

News Published

05:56 PM

Jul 23, 2024

Data Sourced

via Launchpad·09:31 PM

Description

Sep 13, 2024

Data Sourced

via Ubuntu·09:39 PM

RemedyDescriptionSeverityAffected Software

Jan 23, 2025

News Published

via The Register·01:06 AM

News Published

via The Register·01:11 AM

Aug 19, 2025

News Published

via ZDNet·01:30 PM

News Published

via The Register·08:28 PM

Aug 23, 2025

News Published

via ZDNet·02:19 PM

Apr 8, 2026

News Published

via BleepingComputer·05:26 PM

News Published

via BleepingComputer·05:27 PM

Apr 17, 2026

News Published

via BleepingComputer·09:30 AM

Apr 21, 2026

News Published

via BleepingComputer·11:17 AM

Parent advisories

This vulnerability appears in the following advisories.

IBM-7142038

Peer vulnerabilities

Found alongside the following vulnerabilities.

Frequently Asked Questions

What is CVE-2023-46604?

CVE-2023-46604 is a vulnerability in Apache ActiveMQ that allows remote code execution.

How severe is CVE-2023-46604?

CVE-2023-46604 has a severity rating of 10, which is considered critical.

Which software versions are affected by CVE-2023-46604?

The affected software versions are: 5.18.0 to 5.18.3, 5.17.0 to 5.17.6, 5.16.0 to 5.16.7, and 5.8.0 to 5.15.16.

How can I fix CVE-2023-46604?

To fix CVE-2023-46604, upgrade Apache ActiveMQ to version 5.18.3, 5.17.6, 5.16.7, or 5.15.16.

Where can I find more information about CVE-2023-46604?

More information about CVE-2023-46604 can be found in the references provided: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt, http://www.openwall.com/lists/oss-security/2023/10/27/5, and https://nvd.nist.gov/vuln/detail/CVE-2023-46604.

CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

Other sources

Affected Software

Remediation

Information

Event History

Parent advisories

Peer vulnerabilities

Don't miss critical vulnerabilities

Frequently Asked Questions

What is CVE-2023-46604?

How severe is CVE-2023-46604?

Which software versions are affected by CVE-2023-46604?

How can I fix CVE-2023-46604?

Where can I find more information about CVE-2023-46604?

Company

Resources

Contact