#VU76462 Missing Authorization in RocketMQ - CVE-2023-33246

Cybersecurity Help s.r.o.

Published: 2023-05-24 | Updated: 2023-08-31

Vulnerability identifier: #VU76462

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2023-33246

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
RocketMQ
Universal components / Libraries / Software for developers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RocketMQ: 4.2.0 - 4.9.5, 5.0.0 - 5.1.0

External links
https://seclists.org/oss-sec/2023/q2/189
https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Missing authorization in IBM Instana Observability

Missing authorization in Apache RocketMQ