Apache RocketMQ Command Execution Vulnerability - 20230907001

Overview

The WA SOC has observed possible remote code execution vulnerability in RocketMQ versions 5.1.0 and below, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

What is the vulnerability?

CVE-2023-33246 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability affects the following products:

• Apache RocketMQ 5.0.0 through 5.1.1
• Apache RocketMQ through 4.9.6

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):

• Apache Github Page Fix Incorrect Naming
• Apache.org

Additional References

• Packet Storm Security
• Openwall oss security
• CISA