CVE-2023-33246 - OpenCVE

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Rocketmq

Configuration 1 [-]

OR	cpe:2.3:a:apache:rocketmq::::::::
	cpe:2.3:a:apache:rocketmq::::::::

References

Link	Resource
http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html	Exploit Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2023/07/12/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-05-24T14:45:25.684Z

Updated: 2023-05-24T14:45:25.684Z

Reserved: 2023-05-21T08:12:11.944Z

Link: CVE-2023-33246

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-24T15:15:09.553

Modified: 2024-06-27T18:38:20.037

Link: CVE-2023-33246

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-33246", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-05-21T08:12:11.944Z", "datePublished": "2023-05-24T14:45:25.684Z", "dateUpdated": "2023-05-24T14:45:25.684Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache RocketMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "5.1.0", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "lvyyevd@gmail.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. </p><p>Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. </p><p>To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .</p>\n\n\n\n\n\n\n<p></p><br>"}], "value": "For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.\u00a0\n\nSeveral components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.\u00a0\n\nTo prevent these attacks, users are recommended to upgrade to version 5.1.1 or above\u00a0for using RocketMQ 5.x\u00a0or 4.9.6 or above for using RocketMQ 4.x .\n\n\n\n\n\n\n\n\n\n\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-24T14:45:25.684Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp"}, {"url": "http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"cisaActionDue": "2023-09-27", "cisaExploitAdd": "2023-09-06", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Apache RocketMQ Command Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DBCE249-91D7-442A-BD1B-4C20F848EB35", "versionEndExcluding": "4.9.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "68AFCD16-B82F-411E-B3E6-236CA76A1FEE", "versionEndExcluding": "5.1.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.\u00a0\n\nSeveral components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.\u00a0\n\nTo prevent these attacks, users are recommended to upgrade to version 5.1.1 or above\u00a0for using RocketMQ 5.x\u00a0or 4.9.6 or above for using RocketMQ 4.x .\n\n\n\n\n\n\n\n\n\n\n\n"}], "id": "CVE-2023-33246", "lastModified": "2024-06-27T18:38:20.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-24T15:15:09.553", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Primary"}]}