Security Advisory: Apache ActiveMQ Vulnerability (CVE-2023-46604)
| Last Updated | 17 November 2023 |
|---|
Peer Software has been monitoring the news surrounding the recently discovered CRITICAL remote code execution vulnerability that involves Apache ActiveMQ (CVE-2023-46604). As this vulnerability is new, we will continue to review and post updates to this advisory as necessary.
Based on the information currently available, this vulnerability does affect Peer Global File Service (PeerGFS) and PeerIQ.
| Product/Tool | Version(s) | Status | Description |
|---|---|---|---|
| Peer Global File Service |
| Impacted | PeerGFS uses Apache ActiveMQ to communicate between the Peer Management Center, Peer Agents, and PeerIQ. As far as we know, the vulnerability will be an issue for customers exposing the non-TLS-encrypted port (61616) to the Internet. See below for more information. |
| PeerIQ |
| Impacted | PeerIQ uses Apache ActiveMQ to communicate with the Peer Management Center. As far as we know, the vulnerability will be an issue for customers exposing the non-TLS-encrypted port (61616) to the Internet. See below for more information. |
| PeerSync | All | Not impacted | PeerSync does not use Apache ActiveMQ. |
| File System Analyzer | All | Not impacted | File System Analyzer does not use Apache ActiveMQ. |
| File Activity Analyzer | All | Not impacted | File Activity Analyzer does not use Apache ActiveMQ. |
| Health Checker | All | Not impacted | Health Checker does not use Apache ActiveMQ. |
Background and Impact
The Peer Management Broker is based on Apache ActiveMQ and is the specific component of PeerGFS that is affected by this vulnerability. The Peer Management Broker can be installed as a standalone service but is more commonly deployed as part of the Peer Management Center installation. Apache ActiveMQ is also used by PeerIQ to communicate with the other components of PeerGFS.
If the non-TLS-encrypted port of the Peer Management Broker or PeerIQ (port 61616) is open to the Internet, the Peer Management Broker and PeerIQ can be susceptible to this remote code execution vulnerability. While we believe that it is very rare that a customer would expose this unencrypted port to the Internet for either component, it is still something that can be done.
Recommended Next Steps
PeerGFS
We have prepared updates for PeerGFS v5.0, v5.1 and v5.2 to patch the affected Apache ActiveMQ software. These three major releases are all actively supported, based on our Peer Software Lifecycle Policy. We have also decided to backport the fix for the ActiveMQ vulnerability to PeerGFS v4.7 even though that release is no longer actively supported.
The Check for Updates mechanism within Peer Management Center can be used to check for and obtain the appropriate update. Details on how to update PeerGFS can be found here. If you are unable to use the Check for Updates mechanism within the PMC, the download links within our registration emails will also point to the latest update that will fix this vulnerability. If you do not have access to this email, please contact our support team via the Peer Service Desk to get the appropriate download link.
If you are running a version of PeerGFS that is older than v4.7 but have a valid maintenance or subscription contract, you may request an upgrade here. In the meantime, please consider the mitigation steps below.
If you are no longer on a valid maintenance or subscription contract or are unable to upgrade to a major release that includes this fix, please reach out to our support team via the Peer Service Desk to review options. In the meantime, please consider the mitigation steps below.
PeerIQ
We have prepared an update for PeerIQ v5.2 that will patch the affected Apache ActiveMQ software. Customers running PeerIQ v5.1 should upgrade to the latest PeerIQ v5.2 update as PeerIQ v5.2 is backwards compatible with PeerGFS v5.1.1. Details on how to update PeerIQ can be found here.
As PeerIQ requires a valid subscription contract, there will be no update options for customers whose subscriptions have expired.
Mitigation
PeerGFS
If you are unable to quickly upgrade PeerGFS and your Peer Management Center/Broker server is Internet-facing, we strongly recommend using your firewall to ensure that Internet-facing access to inbound port 61616 is blocked.
If you are using unencrypted port 61616 to communicate between remote Agents and an Internet-facing Peer Management Center/Broker, we strongly recommend that you immediately change to using TLS encryption and port 61617 for the remote Agents, then block Internet-facing access to port 61616 on the Peer Management Center/Broker server.
Important Note: You will not be able to put a complete block on port 61616 using Windows Firewall or ufw (uncomplicated firewall) on the server where Peer Management Center/Broker is installed unless all Peer Agents and PeerIQ are configured to use TLS encryption with port 61617, including ones on your firewalled and/or VPN network.
PeerIQ
If you are unable to quickly upgrade PeerIQ and your PeerIQ virtual appliance is Internet-facing, we strongly recommend using your firewall to ensure that Internet-facing access to inbound port 61616 is blocked.
If your deployment of PeerIQ is Internet-facing and you are using unencrypted port 61616 to communicate between PeerIQ and the Peer Management Center, we strongly recommend that you immediately change to using TLS encryption and port 61617, then block all access to port 61616 on the PeerIQ virtual appliance.
Important Note: You will not be able to put a complete block on port 61616 using ufw on the PeerIQ virtual appliance unless PeerIQ is configured to use TLS encryption with port 61617 when talking to the PMC.
Additional Notes
Some additional notes on this and related vulnerabilities:
If you have additional questions, please contact our support team via the Peer Service Desk.