logo

Security Advisories

Documentation Cloud Services Solutions

CV_2023_11_1: Remote Code Execution Vulnerability in Apache ActiveMQ CRITICAL

  This advisory is archived

Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.

  • Advisory ID: CV_2023_11_1
  • Title: Remote Code Execution Vulnerability in Apache ActiveMQ
  • Severity: CRITICAL
  • Issued: 2023-11-06
  • Updated: 2023-11-06
  • CVSS Score Range: 9.0 - 10.0
  • Additional Links:

Impacted Products

The vulnerability affects the Commvault Web Server.

Resolution

We have issued an update to replace the older versions of the Apache ActiveMQ component with version 5.18.3 on the Web Server.

To fix this vulnerability, install the following updates for the affected Platform Release on the Web Server:

Platform ReleaseMinimum Maintenance ReleaseUpdate Bundles
2023E11.32.23
  • UpdateBundle_Build1108152_Form8457
  • UpdateBundle_Build1108152_Form8459
  • 202311.30.64
  • UpdateBundle_Build1108145_Form6573
  • UpdateBundle_Build1108145_Form6572
  • 2022E11.28.83
  • UpdateBundle_Build1108141_Form5806
  • UpdateBundle_Build1108141_Form5807
  • CVE Details

    Info Description

    The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

    Documentation

    https://documentation.commvault.com