#VU76462 Missing Authorization in RocketMQ - CVE-2023-33246
Published: May 24, 2023 / Updated: August 31, 2023
Vulnerability identifier: #VU76462
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2023-33246
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
RocketMQ
RocketMQ
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
Remediation
Install updates from vendor's website.