Bug 2317265 (CVE-2023-33246) - CVE-2023-33246 rocketmq: Apache RocketMQ Arbitrary Code Injection
Summary: CVE-2023-33246 rocketmq: Apache RocketMQ Arbitrary Code Injection
Keywords:
Status: NEW
Alias: CVE-2023-33246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-08 16:43 UTC by OSIDB Bzimport
Modified: 2024-10-29 02:13 UTC (History)
0 users

Fixed In Version:
Doc Type: ---
Doc Text:
A vulnerability was found in Apache RocketMQ where, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification. This flaw allows an attacker to use the update configuration function to execute commands as the system users that RocketMQ is running as.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-08 16:43:50 UTC 
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.  Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.  To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Note You need to log in before you can comment on or make changes to this bug.