• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Apache RocketMQ Remote Command Execution Vulnerability

Released: Jul 05, 2023

Updated: Sep 06, 2023

Download PDF »

Apache RocketMQ RCE

Medium Severity

Apache Vendor

Vulnerability Type

Open source software actively exploited

RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands or by forging the RocketMQ protocol content. CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-33246

Background

RocketMQ is a distributed messaging and streaming platform. It was open sourced by Alibaba in 2012. In 2016, Alibaba donated RocketMQ to the Apache Software Foundation and is Apache Software Foundation announced it as a Top-level project. According to the vendor, RocketMQ has become the industry standard for financial-grade reliable business messages and is widely used in Internet, big data, mobile Internet, IoT, and other fields.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 97.31%
FortiGuard Telemetry 1145

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


May 23, 2023: RocketMQ team released patch and advisory about the vulnerability
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

Jun 22, 2023: FortiGuard Labs released a Threat signal on CVE-2023-33246.
https://www.fortiguard.com/threat-signal-report/5203


29 June, 2023: FortiGuard Labs released an IPS signature to detect and block attacks leveraging CVE-2023-33246 and has blocked attack attempts on upto 1000+ unique IPS devices since the release.

To mitigate the risk completely, users are recommended to upgrade to version 5.1.1 or above for (RocketMQ 5.x) and 4.9.6 or above for using (RocketMQ 4.x).
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp


06 Sept, 2023: CISA added CVE-2023-33246 to its known exploited catalog list (KEV)

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • IPS

  • Web App Security

  • Post-execution

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
149.28.85.17 ip Active
139.59.150.7 ip Active
92.204.243.155 ip Active
oast.pro domain Active
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba7... file Active
1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d... file Active
94.156.6.110 ip Active
45.15.158.124 ip Active
0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd... file Active
153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725... file Active
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204a... file Active
21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855da... file Active
371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f76... file Active
9f740c9042a7c3c03181d315d47986674c50c2fca956915... file Active
ci19lv2rlbvqk1mei0dgktrb36kddhfx4.oast.pro domain Active
e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e... file Active
http://92.204.243.155:8080/roket url Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3... domain Active
92.204.243.155:8080 ip Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3... domain Active
12f84e4eab411366e4a9adcd3ac1ae92714c9d405670e10... file Active
134.209.58.230 ip Active
1d489a41395be76a8101c2e1eba383253a291f4e84a9da3... file Active
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4... file Active
4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b6... file Active
d7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f5... file Active
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846... file Active
103.85.25.121 ip Active
joinushealth.com domain Active
http://joinushealth.com/ url Active
70710c630390dbf74a97162ab61aae78d3e18eacb41e16d... file Active
http://149.28.85.17/wp-content/themes/twentysev... url Active
http://203.55.135.12/wp-content/themes/twentyfi... url Active
149.28.85.17:80 ip Active
203.55.135.12 ip Active
25d7b17521629f0861113b1e9f7653dc19c40b1d8f3de68... file Active
34603862c5086a9063e42d79fb094e8d89e3aeef6f8eadf... file Active
5a55acdae38219411b2f3350db425d8883d6238e465d07a... file Active
5d1721d4d362ddcdbd0762eccdb4e07b0cc1c26c7d69da3... file Active
9f49375ae05c16d80e02c21f178429602f726ce87295b9d... file Active
b86fa919ab9ebaa3f8ead4f7ef6ee0bb94a3a1b7d9583e9... file Active
cd647d4497661bf0a7f9a11fd5ca84d52f49d4cca74941a... file Active
e52b70a76e382ffd2aff02d1d26269036c589676ba1f208... file Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspv... url Active
ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3... domain Active

References

Sources of information in support and relation to this Outbreak and vendor.


Apache Advisory

Learn More »
About FortiGuard Outbreak Alerts

Learn More »