Associated Vulnerability
Description
Vulnerability Detection and Mitigation Apache ActiveMQ | Security Architectures and Systems Administration - on - Apache ActiveMQ Deserialization Remote Code Execution (RCE) – CVE-2023-46604
Readme
# Project-Vuln-Detection-N-Mitigation_101
### Apache ActiveMQ Deserialization RCE (CVE-2023-46604) – Phase 2 Project
> **Security Architectures & Systems Administration**
> **Author:** *[Vaishnavu C V]* · **Date:** *17 Sep 2025*
> **Status:** ⌀ Phase 2 deliverables complete
---
## Overview
This repository documents a hands‑on security design project focused on **CVE‑2023‑46604** in **Apache ActiveMQ (Classic)**. It includes a clear explanation of the vulnerability, deep‑dive technical notes, impact assessment, affected systems, **detection** and **mitigation** designs, and a consolidated design report suitable for university submission.
---
## Quick Links
* →→ **Phase 2 Design Report (single file)** → [`phase_2_design_report.md`](./phase_2_design_report.md)
* →→ **All Sections (modular):**
* Introduction → [`phase_2_intro.md`](./phase_2_intro.md)
* Vulnerability Explanation → [`phase_2_vulnerability_explanation.md`](./phase_2_vulnerability_explanation.md)
* Technical Detail → [`phase_2_technical_detail.md`](./phase_2_technical_detail.md)
* Impact → [`phase_2_impact.md`](./phase_2_impact.md)
* Affected Systems → [`phase_2_affected_systems.md`](./phase_2_affected_systems.md)
* Detection Design → [`phase_2_detection_design.md`](./phase_2_detection_design.md)
* Mitigation Design → [`phase_2_mitigation_design.md`](./phase_2_mitigation_design.md)
* Conclusion → [`phase_2_conclusion.md`](./phase_2_conclusion.md)
* References → [`phase_2_references.md`](./phase_2_references.md)
---
## Repository Structure
```
.
├── phase_2_design_report.md
├── phase_2_intro.md
├── phase_2_vulnerability_explanation.md
├── phase_2_technical_detail.md
├── phase_2_impact.md
├── phase_2_affected_systems.md
├── phase_2_detection_design.md
├── phase_2_mitigation_design.md
├── phase_2_conclusion.md
└── phase_2_references.md
```
```mermaid
flowchart LR
A[Internet attacker] -->|OpenWire 61616<br/>malicious serialized payload| B[(ActiveMQ Broker)]
A -->|Scanning and recon| F[Firewall and ACLs]
F --> B
B -->|Traffic mirror or syslog| C[IDS or IPS Suricata Snort]
B -->|Conn logs| D[Zeek anomaly logs]
B -->|App logs| E[ActiveMQ logs]
C -->|Alert| J[(SIEM)]
D -->|Alert| J
E -->|Alert| J
J -->|Correlation and auto action| G[Fail2ban auto ban]
G -. block .- F
H[Container sandbox non root AppArmor] --- B
I[Protocol restriction disable OpenWire] --- B
classDef detect fill:#eef7ff,stroke:#82b1ff,color:#0a3d62;
classDef ctrl fill:#eefbee,stroke:#6bbf59,color:#0a3d62;
classDef siem fill:#fff7e6,stroke:#f5a623,color:#6b3e00;
class C,D,E detect;
class F,G,H,I ctrl;
class J siem;
```
---
## How to Use This Repo
1. **Read the Single‑File Report:** If you’re reviewing for assessment, start with [`phase_2_design_report.md`](./phase_2_design_report.md).
2. **Deep‑dive by Section:** Use the modular files listed above to review specific parts (e.g., directly jump to Detection or Mitigation).
3. **Recreate the Lab (Optional):**
* Use a **segmented test network** and an **isolated VM/container** for any proof‑of‑concept experiments.
* Block or strictly restrict **TCP/61616** externally.
* Prefer patched ActiveMQ versions for production; keep vulnerable versions **air‑gapped** for research only.
> →→ **Safety Note:** Any exploitation steps must be performed **only in a lawful, controlled lab**, never on production or systems you do not own/operate.
---
## Grading Alignment
* **Vulnerability Explanation (4 marks)** → `phase_2_vulnerability_explanation.md`
* **Detection + Mitigation Design (6 marks)** → `phase_2_detection_design.md` and `phase_2_mitigation_design.md`
* **Criteria (applicability, practicality, originality, feasibility, clarity)** are addressed via:
* Clear network/app‑level detection paths, example IDS/Zeek/SIEM workflows.
* Practical firewall, protocol, container, and auto‑ban controls for real deployments.
* Original correlation ideas and mock artifacts for incident response.
---
## Getting Started (Lab‑safe checklist)
* **Network:** Dedicated VLAN/subnet; restrict east‑west traffic.
* **Host:** Linux VM with container runtime.
* **Logging:** Forward ActiveMQ/host/network logs to your SIEM/ELK.
* **Controls:** Prepare fail2ban, ACL rules, and container profiles before testing.
---
## License
This educational content is provided for academic, non‑commercial use. Follow your institution’s policies and local laws.
---
File Snapshot
[4.0K] /data/pocs/abd64f4e776606126444c62b4417468a93704dba
├── [1.0K] LICENSE
├── [3.3K] phase_2_affected_systems.md
├── [2.8K] phase_2_conclusion.md
├── [6.3K] phase_2_design_report.md
├── [4.7K] phase_2_detection_design.md
├── [3.5K] phase_2_impact.md
├── [4.5K] phase_2_intro.md
├── [4.7K] phase_2_mitigation_design.md
├── [3.1K] phase_2_references.md
├── [3.9K] phase_2_technical_detail.md
├── [3.9K] phase_2_vulnerability_explanation.md
└── [4.5K] README.md
0 directories, 12 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →