MEDIUM: Accessible ActiveMQ Service Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SECURITY LEVEL: MEDIUM

Introduction

This report identifies accessible Apache ActiveMQ servers on port 61616/TCP. ActiveMQ is a popular open source multi-protocol message broker.

ActiveMQ has a set of security features which should be enabled if possible.

Additionally, different ActiveMQ versions have had multiple CVE found in them in the past.

CVE-2023-46604  (Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack) was disclosed on the 27th of October 2023.

As described in the NVD entry for CVE-2023-46604 the vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

How we scan

We scan by sending an equivalent of a “hello” using the OpenWire protocol WireFormatInfo request and expecting a BrokerInfo response.

We determine the vulnerability through a version check only.

We do not perform any intrusive checks on a discovered service.

As of 2023-10-30, we identify 7249 accessible ActiveMQ services. Out of these 3329 where found vulnerable to CVE-2023-46604. These are assigned severity level CRITICAL.

Dashboard

You can track accessible ActiveMQ servers on our Dashboard. You can then select the cve-2023-46604 tag to view instances with that particular vulnerability.

Mitigation

If you receive a report from us with an accessible ActiveMQ service, make sure it is configured appropriately according to your security policy which may include restriction to  trusted sources only.

If you received a report with events tagged cve-2023-46604 make sure to investigate for possible compromise and patch your version.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: scan_activemq, scan6_activemq

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically 61616/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to activemq only if not found vulnerable. A cve-2023-46604 tag will be set if the ActiveMQ service is found vulnerable.
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the device in question
  • command
    Command sent (WireFormatInfo)
  • vendor
    ActiveMQ vendor
  • version
    ActiveMQ service version

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","command","vendor","version"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,61616,node01.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.17.4
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,61616,node02.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.16.5
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,61616,node03.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.15.2



Our 132 Report Types