CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits

We uncovered the active exploitation of the Apache ActiveMQ vulnerability CVE-2023-46604 to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner. When exploited, this vulnerability leads to remote code execution (RCE), which Kinsing uses to download and install malware. The vulnerability itself is due to OpenWire commands failing to validate throwable class type, leading to RCE.

ActiveMQ (written in Java) is an open-source protocol developed by Apache that implements message-oriented middleware (MOM). Its main function is to send messages between different applications. It also includes additional features like STOMP, Jakarta Messaging (JMS), and OpenWire.

The Kinsing malware is a critical threat that primarily targets Linux-based systems and can infiltrate servers and spread rapidly across a network. It gains entry by exploiting vulnerabilities in web applications or misconfigured container environments.  

Recently, the threat actors behind Kinsing have been exploiting high-profile vulnerabilities such as CVE-2023-4911 (Looney Tunables). Once Kinsing infects a system, it deploys a cryptocurrency-mining script that exploits the host’s resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance.

The following list details affected Apache ActiveMQ versions that are vulnerable to CVE-2023-46604:

• Apache ActiveMQ 5.18.0 before 5.18.3
• Apache ActiveMQ 5.17.0 before 5.17.6
• Apache ActiveMQ 5.16.0 before 5.16.7
• Apache ActiveMQ before 5.15.16
• Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Users are recommended to upgrade both Java OpenWire brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, as any of these fixes the issue.

Based on AMQ-9370, we are able to check the root cause of the vulnerability, which is an issue pertaining to the validation of throwable class types when OpenWire commands are unmarshalled.

OpenWire is a binary protocol that has been specifically designed for working with message-oriented middleware. It serves as the native wire format of ActiveMQ, which is a widely used open-source messaging and integration platform. OpenWire’s binary format offers several advantages over other formats, such as its efficient use of bandwidth and its ability to support a wide range of message types. These characteristics make it an ideal choice for businesses and organizations that require a reliable and high-performance messaging system.

Based on the patch difference, we can see that the validateIsThrowable method has been included in the BaseDataStreamMarshall class.