CVE-2023-46604
critical-risk
Published 2023-10-27
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Do I need to act?
!
94.4% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
+
Fix available
Upgrade to: 691e8f9e6d96dd58791f4fe9add7aead47677a67, 4bbb055187166706103d785e9665efb439792c51, 4a25366541fed60b15b4a068f2d3018f533cdeb9, 5f6edd9781c1438aa40fd4c7ec243a76a6be38c0, 691e8f9e6d96dd58791f4fe9add7aead47677a67, 4bbb055187166706103d785e9665efb439792c51, 4a25366541fed60b15b4a068f2d3018f533cdeb9, 5f6edd9781c1438aa40fd4c7ec243a76a6be38c0
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (7)
References (14)
Mailing List
http://seclists.org/fulldisclosure/2024/Apr/18
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231110-0010/
Mailing List
http://seclists.org/fulldisclosure/2024/Apr/18
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231110-0010/
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-...
74
/ 100
critical-risk
Severity
33/34 · Critical
Exploitability
27/34 · High
Exposure
14/34 · Moderate