Missing authorization in Apache RocketMQ

1) Missing Authorization

EUVDB-ID: #VU78267

Risk: High

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2023-37582

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in the RocketMQ NameServer component. A remote non-authenticated attacker can use the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

Note, the vulnerability exists due to incomplete fix for #VU76462 (CVE-2023-33246).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

RocketMQ: 4.2.0 - 5.1.1

CPE2.3

• cpe:2.3:a:apache_foundation:rocketmq:4.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:*:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.5.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.6.0:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.6.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:rocketmq:4.7.0:*:*:*:*:*:*:*

External links

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
https://www.openwall.com/lists/oss-security/2023/07/12/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.