PRP: Request CVE-2023-46604 RCE Vulnerability in Apache ActiveMQ

[hh-hunter]

Hello.

I would like to start implementing a plugin to detect CVE-2023-46604,This vulnerability should be relatively new and has been patched.

• https://activemq.apache.org/news/cve-2023-46604
• https://nvd.nist.gov/vuln/detail/CVE-2023-46604

The vulnerability has been assigned a CVE ID CVE-2023-46604 (CVSS score >= 7.0) and the severity level of the vulnerability is HIGH or CRITICAL: CVSS score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

The vulnerability can be exploited remotely without authentication and user interaction.

Please let me know if this is in scope to start with its development.

[tooryx]

Hi @hh-hunter,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

[hh-hunter]

@tooryx Hi, I noticed that the log4j detection logic I submitted earlier is no longer in the code. What is it caused by?

[hh-hunter]

@tooryx Does the relevant class exist now that can implement this operation of deploying an XML file remotely to exploit this vulnerability?If not, I am prepared to write a direct version detection logic instead of executing vulnerable commands.

[tooryx]

Hi @hh-hunter,

I have labeled your other issues as "Contributor queue" for now. We are enforcing more strictly the one review per contributor as we cannot keep up with review otherwise. We will review this plugin and then dequeue the other ones progressively.

If you think I incorrectly labeled one of the issues, please let me know. ~tooryx

[hh-hunter]

Okay.I have accumulated a lot of plugins, please review them as soon as possible. In addition, regarding the vulnerability in the password recovery email of GitLab, I believe using the built-in oob domain name in Tsunami is a perfect solution, under the current version of Tsunami plugin. If contributors within the community are unable to complete vulnerability requests, they should be handed over to other contributors to complete.