CVE-2023-33246 - OpenCVE

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Rocketmq

Configuration 1 [-]

OR	cpe:2.3:a:apache:rocketmq::::::::
	cpe:2.3:a:apache:rocketmq::::::::

No data.

References

Link	Providers
http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html
http://www.openwall.com/lists/oss-security/2023/07/12/1
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-05-24T14:45:25.684Z

Updated: 2024-08-19T07:48:09.006Z

Reserved: 2023-05-21T08:12:11.944Z

Link: CVE-2023-33246

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-24T15:15:09.553

Modified: 2024-06-27T18:38:20.037

Link: CVE-2023-33246

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33246", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-05-21T08:12:11.944Z", "datePublished": "2023-05-24T14:45:25.684Z", "dateUpdated": "2024-08-19T07:48:09.006Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache RocketMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "5.1.0", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "lvyyevd@gmail.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. </p><p>Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. </p><p>To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .</p>\n\n\n\n\n\n\n<p></p><br>"}], "value": "For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.\u00a0\n\nSeveral components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.\u00a0\n\nTo prevent these attacks, users are recommended to upgrade to version 5.1.1 or above\u00a0for using RocketMQ 5.x\u00a0or 4.9.6 or above for using RocketMQ 4.x .\n\n\n\n\n\n\n\n\n\n\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-24T14:45:25.684Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp"}, {"url": "http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:09.006Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp"}, {"url": "http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/1", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/rocketmq-rce-cve-2023-33246-33247"}]}]}}

{"cisaActionDue": "2023-09-27", "cisaExploitAdd": "2023-09-06", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Apache RocketMQ Command Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DBCE249-91D7-442A-BD1B-4C20F848EB35", "versionEndExcluding": "4.9.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "68AFCD16-B82F-411E-B3E6-236CA76A1FEE", "versionEndExcluding": "5.1.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.\u00a0\n\nSeveral components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.\u00a0\n\nTo prevent these attacks, users are recommended to upgrade to version 5.1.1 or above\u00a0for using RocketMQ 5.x\u00a0or 4.9.6 or above for using RocketMQ 4.x .\n\n\n\n\n\n\n\n\n\n\n\n"}], "id": "CVE-2023-33246", "lastModified": "2024-06-27T18:38:20.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-24T15:15:09.553", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Primary"}]}