[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-33246: Apache RocketMQ: RocketMQ may have a remote code execution vulnerabil
From: Rongtong Jin <jinrongtong () apache ! org>
Date: 2023-05-23 9:48:07
Message-ID: 0e99031b-398c-6a65-5ac5-6332ca994da0 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache RocketMQ through 5.1.0
Description:
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote \
command execution.
Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the \
extranet and lack permission verification, an attacker can exploit this vulnerability by using \
the update configuration function to execute commands as the system users that RocketMQ is \
running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ \
protocol content.
To prevent these attacks, users are recommended to upgrade to version 5.1.1 above for using \
RocketMQ 5.x or 4.9.6 above for using RocketMQ 4.x .
Credit:
lvyyevd@gmail.com (reporter)
References:
https://rocketmq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33246
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic