← back
CVE-2023-33246

Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function

CVSS 9.8 CRITICALEPSS 96.6%● KEVCWE-94
In short

Apache RocketMQ versions 5.1.0 and below allow attackers to execute arbitrary commands on servers running the software. If RocketMQ components are exposed to the internet without proper access controls, an attacker can use the configuration update feature to run malicious commands with the privileges of the RocketMQ system user.

Technical detail

CVE-2023-33246 exploits missing authentication in RocketMQ NameServer, Broker, and Controller components exposed on untrusted networks. An attacker can send crafted RocketMQ protocol messages or abuse the update configuration function (CWE-94: Improper Control of Generation of Code) to achieve remote code execution with the privileges of the RocketMQ process user. Affected versions are RocketMQ 5.1.0 and below (4.x up to 4.9.5).

Summary generated and translated by AI from the official description.
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.  Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.  To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache RocketMQ
public PoCs found15
githubgithub.com/SuperZero/CVE-2023-33246114cve_referencegithub.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT104githubgithub.com/Le1a/CVE-2023-3324681githubgithub.com/I5N0rth/CVE-2023-3324662githubgithub.com/vulncheck-oss/fetch-broker-conf5githubgithub.com/P4x1s/CVE-2023-332463githubgithub.com/0xKayala/CVE-2023-332462githubgithub.com/4mazing/CVE-2023-33246-Copy2githubgithub.com/d0rb/CVE-2023-332461githubgithub.com/PavilionQ/CVE-2023-33246-mitigation1githubgithub.com/MkJos/CVE-2023-33246_RocketMQ_RCE_EXP1githubgithub.com/shoucheng3/apache__rocketmq_CVE-2023-33246_5-1-00githubgithub.com/Sumitpathania03/Apache-RocketMQ-CVE-2023-33246-0cve_referencegithub.com/jakabakos/CVE-2023-33246_Apache_RocketMQ_RCEunverifiedcve_referencepacketstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.htmlhttps://github.com/jakabakos/CVE-2023-33246_Apache_RocketMQ_RCEhttps://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIThttps://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyphttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33246https://www.vicarius.io/vsociety/posts/rocketmq-rce-cve-2023-33246-33247http://www.openwall.com/lists/oss-security/2023/07/12/1