This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2023_11_1
- Title: Remote Code Execution Vulnerability in Apache ActiveMQ
- Severity: CRITICAL
- Issued: 2023-11-06
- Updated: 2023-11-06
- CVSS Score Range: 9.0 - 10.0
- Additional Links:
Impacted Products
The vulnerability affects the Commvault Web Server.
Resolution
We have issued an update to replace the older versions of the Apache ActiveMQ component with version 5.18.3 on the Web Server.
To fix this vulnerability, install the following updates for the affected Platform Release on the Web Server:
Platform Release | Minimum Maintenance Release | Update Bundles |
---|---|---|
2023E | 11.32.23 | |
2023 | 11.30.64 | |
2022E | 11.28.83 |
CVE Details
Info | Description |
---|---|
| The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. |