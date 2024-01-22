A patched critical remote code execution (RCE) vulnerability in Apache ActiveMQ messaging systems is being widely exploited by attackers, according to TrustWave research.

The vulnerability, tracked as CVE-2023-46604, is used by attackers to insert and run malicious Java Server Pages (JSP) web shells, derived from open source Godzilla web shell, on the affected Apache ActiveMQ hosts.

“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Apache said in a blog post. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”

The flaw stems from an unsafe deserialization practice within the OpenWire protocol used by the ActiveMQ messaging system, allowing a remote attacker with network access to either a Java-based OpenWire broker (messaging server) or a client (endpoint receiving or sending messages) to run arbitrary shell commands.

Concealed Godzilla runs without detection

Trustwave researchers identified suspicious JSP files dropped in the “admin” folder within the ActiveMQ installation directory of a vulnerable Apache ActiveMQ client. The folder contained the server scripts for the ActiveMQ administrative and web management console, according to TrustWave.

“Upon further analysis, Trustwave SpiderLabs determined that this JSP code came from an open source web shell known as the Godzilla Web shell,” TrustWave said.