Missing authorization in Apache RocketMQ

1) Missing Authorization

EUVDB-ID: #VU76462

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2023-33246

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

RocketMQ: 4.2.0 - 5.1.0

CPE2.3

• cpe:2.3:a:apache_foundation:rocketmq:4.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:*:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.5.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.6.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.6.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.7.0:*:*:*:*:*:*:*

External links

https://seclists.org/oss-sec/2023/q2/189
https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.