CVE-2023-5502 – On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, a malicious supplicant may bypass authentication.

Immediately restrict network access to Apache ActiveMQ instances from untrusted sources. Prioritize blocking external internet access to the OpenWire protocol port (default 61616). If possible, isolate affected ActiveMQ servers from the network to prevent further compromise, ensuring critical service continuity is maintained where applicable. Review ActiveMQ server logs and system logs for any signs of compromise, such as unusual process execution, unexpected outbound connections, or error messages related to deserialization failures or suspicious class loading. Prepare for an urgent patching cycle.

2. PATCH AND UPDATE INFORMATION

This vulnerability affects Apache ActiveMQ versions 5.18.0 through 5.18.3, 5.17.0 through 5.17.6, and 5.16.0 through 5.16.7.
To remediate this vulnerability, upgrade your Apache ActiveMQ installations to the patched versions:
Apache ActiveMQ 5.18.4 or later
Apache ActiveMQ 5.17.7 or later
Apache ActiveMQ 5.16.8 or later
Obtain the official patched releases directly from the Apache ActiveMQ website (activemq.apache.org). Follow the standard upgrade procedures for your ActiveMQ deployment, ensuring proper backups are taken before initiating the upgrade. Verify the integrity of the downloaded update packages using checksums provided by Apache.

3. MITIGATION STRATEGIES

If immediate patching is not feasible, implement the following mitigation strategies to reduce exposure:
Network Segmentation and Firewall Rules: Implement strict firewall rules to limit access to the ActiveMQ OpenWire port (default TCP 61616) only to trusted internal IP addresses or specific application servers that require connectivity. Do not expose this port directly to the internet.
Disable OpenWire Protocol: If the OpenWire protocol is not strictly required for your ActiveMQ deployment, consider disabling it entirely in the ActiveMQ configuration to eliminate the attack vector.
Protocol Restriction: If OpenWire is necessary, evaluate if other less vulnerable protocols (e.g., AMQP, MQTT, STOMP) can be used for external or untrusted client connections, restricting OpenWire usage to highly trusted internal systems only.
Java Deserialization Filtering: While ActiveMQ includes some deserialization filtering capabilities in newer versions, this specific vulnerability may bypass older or default configurations. Ensure any available deserialization filtering is enabled and configured with a strict allowlist of trusted classes, if applicable to your version and deployment. However, this should not be considered a primary mitigation for CVE-2023-5502; upgrading is the most effective solution.

4. DETECTION METHODS

Implement the following detection methods to identify potential exploitation attempts or successful compromises:
Network Traffic Monitoring: Monitor network traffic on ActiveMQ OpenWire ports (e.g., 61616) for unusual patterns, high volumes from unexpected sources, or connections from external networks. Look for large or malformed OpenWire messages.
Log Analysis: Regularly review ActiveMQ server logs (activemq.log) for errors related to deserialization, class loading exceptions, or any unusual activity immediately following a connection from an untrusted source. Monitor system logs for unexpected process spawns, shell commands, or outbound network connections initiated by the ActiveMQ process.
Endpoint Detection and Response (EDR): Deploy EDR solutions on ActiveMQ host systems to monitor for anomalous process creation, file system modifications (e.g., creation of new executables or web shells), and suspicious network activity originating from the ActiveMQ user or process.
Intrusion Detection/Prevention Systems (IDS/IPS): Configure IDS/IPS to detect known exploit signatures if available, or to flag suspicious activity patterns on ActiveMQ ports.

5. LONG-TERM PREVENTION

Establish a robust long-term security posture to prevent similar vulnerabilities:
Regular Patch Management: Implement a comprehensive and timely patch management program for all software, especially for critical infrastructure components like message brokers. Subscribe to security advisories from Apache ActiveMQ and relevant security organizations.
Principle of Least Privilege: Configure ActiveMQ to run with the lowest possible user privileges