Apache RocketMQ servers have a vulnerability that attackers were exploiting. CVE-2023-33246 is a critical severity vulnerability that may allow an attacker to perform remote code execution on successful exploitation.
Security researchers at Juniper Threat Labs have recently reported the exploitation of the vulnerability by DreamBus botnet malware.
CISA has acknowledged its active exploitation by adding this vulnerability to its Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the vulnerability before Sep 27, 2023.
RocketMQ is a distributed messaging and streaming technology with low latency, excellent performance and reliability, trillion-level capacity, and flexible scalability.
Vulnerability Details
Several components of RocketMQ, including NameServer, Broker, and Controller, are exposed on the extranet and lack permission verification, the root cause of the vulnerability. An attacker may exploit this vulnerability using the update configuration function to issue commands as the system users that RocketMQ is executing. Additionally, modifying the content of the RocketMQ protocol will also allow an attacker to exploit the vulnerability.
Affected Versions
Apache RocketMQ versions from 5.0.0 prior to 5.1.1 are affected by this vulnerability.
Mitigation
Customers must upgrade to Apache RocketMQ versions 5.1.1 and 4.9.6 to patch the vulnerability.
Please refer to the Apache RocketMQ Security Advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QID 730868 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability