'[oss-security] CVE-2023-33246: Apache RocketMQ: RocketMQ may have a remote code execution vulnerabil'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-33246: Apache RocketMQ: RocketMQ may have a remote code execution vulnerabil
From:       Rongtong Jin <jinrongtong () apache ! org>
Date:       2023-05-23 9:48:07
Message-ID: 0e99031b-398c-6a65-5ac5-6332ca994da0 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache RocketMQ through 5.1.0

Description:

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote \
command execution.  

Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the \
extranet and lack permission verification, an attacker can exploit this vulnerability by using \
the update configuration function to execute commands as the system users that RocketMQ is \
running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ \
protocol content.  

To prevent these attacks, users are recommended to upgrade to version 5.1.1 above  for using \
RocketMQ 5.x  or 4.9.6 above for using RocketMQ 4.x .

Credit:

lvyyevd@gmail.com (reporter)

References:

https://rocketmq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33246

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic