Apache ActiveMQ Vulnerability

Background 

On October 27, 2023, the Apache Foundation announced a new ‘zero-day’ vulnerability which impacts specific versions of Apache ActiveMQ, a Java-based message broker. This vulnerability tracked as CVE-2023-46604 could lead to Remote Code Execution on affected environments and has been classified as critical. Many applications around the world utilize this impacted Apache software, including some specific versions of Manhattan software.   

Please refer to our Frequently Asked Questions (FAQ) section below for more details.

Updates

November 13, 2023

  • Updated actions customers need to take.
  • Updated delivery status table.

November 12, 2023 

  • Updated delivery status table. 

November 10, 2023 

  • Added delivery status table. 

November 9, 2023  

  • Assessed any potential impact on Manhattan Associates’ products and services.  
  • Sent initial notification to customers regarding this issue.  
  • Created and published FAQ page with details of the vulnerability and affected products.  
  • Began building the update process for affected products.   

Apache ActiveMQ Vulnerability FAQs

What is ActiveMQ? 

ActiveMQ is an open source messaging broker built on Java and developed by the Apache Foundation.  It is designed to send messages between two systems. 

What is the ActiveMQ Vulnerability? 

The Apache Foundation has stated that specific versions of ActiveMQ may allow a remote attacker with access to the message broker to run shell commands by manipulating serialized class types in the Openwire protocol.   

This vulnerability has been given a CVSS score of 10.0 and been assigned as CVE-2023-46604. 

More details of this vulnerability can be found here - https://nvd.nist.gov/vuln/detail/CVE-2023-46604 

What Versions of ActiveMQ are Affected? 

Details of affected versions can be found on the Apache website located here. 

What Manhattan Products are Affected? 

Supply Chain Process Platform (SCPP) – versions 2015 and newer 

  • DFIO/PFIO 
  • DOM 
  • EEM 
  • LM 
  • OLM 
  • SIF 
  • Slotting 
  • TMS 
  • WMOS 
  • Manhattan Management Console (MMC)  

What Manhattan Products are NOT Affected? 

  • Supply Chain Process Platform (SCPP) – versions 2014 and previous 
  • Manhattan Active® products  
  • Warehouse Management for IBMi 
  • SCALE™  
  • Billing Management 
  • Carrier Management 
  • Manhattan Integration Framework (MIF) 
  • Supply Chain Intelligence (SCI) 

Third-Party Components – please refer to other third-party software vendors websites for the vulnerability.  

What Environments Are Affected? 

Any environment where affected Manhattan products are deployed may be impacted by this vulnerability. This includes environments within: 

  • Manhattan hosted and SaaS   
  • Customer hosted with Manhattan-managed 
  • Customer hosted and managed    

When Will Updates Be Published For Affected Products? 

  • Patch availability and delivery status is listed in the table below.  Check back here for updates. 

    Delivery Status Table 

    Affected Platform Versions (All Products) 

    Patch Delivery ETA 

    Supply Chain Process Platform (SCPP) 2023 - 2017

    Delivered on November 10

    Supply Chain Process Platform (SCPP) 2016 

    (OpenJDK Java 8 - JBoss EAP)

    Delivered on November 13

    Supply Chain Process Platform (SCPP) 2016 

    (IBM SDK Java 7 - IBM WebSphere)

    Apache has not released a patch for applications based on Java 7. *

    Supply Chain Process Platform (SCPP) 2015 

    (OpenJDK Java 7 - JBoss EAP)

    Apache has not released a patch for applications based on Java 7.  *

    Supply Chain Process Platform (SCPP) 2015

    (IBM SDK Java 7 - IBM WebSphere)

    Apache has not released a patch for applications based on Java 7. *


    * Customers should review mitigation guidance from the Apache Software Foundation, Cybersecurity & Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) to reduce their exposure to cyberattacks related to this vulnerability.

What Actions Do Customers Need To Take?