Threat Signal ReportActive Exploitation of Apache RocketMQ updateConfig Command Execution Vulnerability (CVE-2023-33246)
Description
| What is VMware Apache RocketMQ? |
Apache RocketMQ is an open-source distributed messaging middleware developed by the Alibaba. It was later donated to Apache.
|
| What is the Attack? | CVE-2023-33246 is a command injection vulnerability that affects Apache RocketMQ versions 5.1 and lower. Successful exploitation of the vulnerability allows a remote attacker to execute commands as the system user under which RocketMQ is running by using the update configuration function.
|
| Why is this Significant? |
This is significant because CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available. As such, attacks that leverage the vulnerability are expected to increase.
FortiGuard Labs advises that the patch should be applied as soon as possible. |
|
What is the Vendor Solution?
|
Apache released RocketMQ version 5.1.1 on May 19th, 2023 to address the issue.
|
| What FortiGuard Coverage is available? | FortiGuard Labs has released a new IPS signature "Apache.RocketMQ.updateConfig.Command.Execution" in version 24.593. For a full comprehensive lists of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details. |
Outbreak Alert
RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands or by forging the RocketMQ protocol content. CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available.
Telemetry
Appendix
Apache RocketMQ Remote Command Execution Vulnerability (Outbreak Alert)
CVE-2023-33246 (MITRE)
✖
