CVE-2023-46604 漏洞原理深度解析:OpenWire协议反序列化与Spring XML注入
📅 2026/7/9 17:27:35
👁️ 阅读次数
📝 编程学习
CVE-2023-46604漏洞深度剖析:OpenWire协议反序列化与Spring XML注入的致命组合
漏洞背景与影响范围
Apache ActiveMQ作为企业级消息中间件的标杆产品,其安全漏洞往往牵动着整个分布式系统的神经。2023年披露的CVE-2023-46604漏洞因其无需认证、直接导致远程代码执行(RCE)的特性,被评定为CVSS 9.8分的关键级漏洞。该漏洞影响范围涵盖:
受影响版本:
- Apache ActiveMQ < 5.15.16
- 5.16.0 ≤ Apache ActiveMQ < 5.16.7
- 5.17.0 ≤ Apache ActiveMQ < 5.17.6
- 5.18.0 ≤ Apache ActiveMQ < 5.18.3
攻击入口:默认开放的61616端口(OpenWire协议端口)
OpenWire协议与漏洞成因
OpenWire是ActiveMQ自研的二进制协议,负责处理跨语言客户端的通信。漏洞的核心在于BaseDataStreamMarshaller.createThrowable方法的安全缺陷:
// 漏洞代码简化示意 protected Throwable createThrowable(String className, String message) { try { Class<?> clazz = Class.forName(className); Constructor<?> constructor = clazz.getConstructor(String.class); return (Throwable) constructor.newInstance(message); } catch (...) { ... } }漏洞触发链条:
- 攻击者通过OpenWire协议发送精心构造的ExceptionResponse消息
- 服务端反序列化时调用
createThrowable方法 - 通过伪造的className参数加载恶意Spring XML配置
- 最终触发Spring的XML外部实体注入(XXE)导致RCE
漏洞利用技术细节
恶意XML构造原理
攻击者需要托管包含以下结构的XML文件:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value><![CDATA[恶意命令]]></value> </list> </constructor-arg> </bean> </beans>关键参数说明:
| 参数 | 作用 | 示例值 |
|---|---|---|
| class | 要实例化的类 | java.lang.ProcessBuilder |
| init-method | 初始化后调用的方法 | start |
| constructor-arg | 构造参数列表 | 命令参数数组 |
攻击流量特征分析
通过Wireshark捕获的攻击流量显示以下特征:
- 协议头:前4字节为消息长度,随后1字节标识数据类型(0x1F表示ExceptionResponse)
- 恶意载荷:包含
ClassPathXmlApplicationContext和远程XML URL的UTF-8字符串
典型攻击包结构:
0000 00 00 00 8f 1f 00 00 00 01 01 00 00 00 01 01 01 0010 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00防御与修复方案
官方修复措施
Apache官方通过以下方式修复该漏洞:
版本升级:
- 5.15.x分支升级至≥5.15.16
- 5.16.x分支升级至≥5.16.7
- 5.17.x分支升级至≥5.17.6
- 5.18.x分支升级至≥5.18.3
代码级修复:
- 在
BaseDataStreamMarshaller中添加类名白名单校验 - 禁止加载非
java.lang.Throwable子类的对象
- 在
临时缓解方案
对于无法立即升级的环境,建议:
网络层防护:
- 在防火墙限制61616端口的访问源IP
- 启用TLS加密OpenWire通信
配置调整:
<!-- conf/activemq.xml --> <transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?wireFormat.maxInactivityDuration=30000"/> </transportConnectors>运行时防护:
- 部署RASP解决方案监控可疑的类加载行为
- 启用Java安全管理器限制ProcessBuilder的调用
漏洞检测与验证
检测方法
版本检查:
# 通过管理接口查询版本 curl -u admin:admin http://<target>:8161/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=localhost/Version流量检测规则(Suricata示例):
alert tcp any any -> any 61616 (msg:"Possible ActiveMQ CVE-2023-46604 Exploit"; content:"|1f|"; depth:1; content:"org.springframework.context.support.ClassPathXmlApplicationContext"; distance:0; sid:1000001; rev:1;)
安全研究启示
协议安全设计:
- 二进制协议必须包含严格的类型校验
- 反序列化操作应默认禁用危险类型
框架集成风险:
// 危险的设计模式示例 public class VulnerableDesign { public Object deserialize(byte[] data) { // 缺少类型检查的反序列化 return new ObjectInputStream(new ByteArrayInputStream(data)).readObject(); } }防御纵深策略:
- 实施最小权限原则运行服务
- 定期进行协议模糊测试(Fuzzing)
编程学习
技术分享
实战经验