www.belgium.be Logo of the federal government

WARNING: CRITICAL RCE VULNERABILITY IN APACHE ROCKETMQ, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-10
Version: 
1.0
Affected software: 
Apache RocketMQ versions 5.0.0 through 5.1.1 and prior to 4.9.6
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2023-37582: CVSS 9.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date: 
22/01/2024

Sources

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Risks

CVE-2023-37582 is a RCE vulnerability in RocketMQ that is actively exploited. An attacker could exploit this vulnerability to gain Remote Code Execution as the system users that RocketMQ is running as. The weakness being exploited is CWE-94 Improper Control of generation of code.

Successful exploitation of this vulnerability affects the availability, confidentiality, and integrity highly.

It is important to mention that this vulnerability is related to a previous vulnerability CVE-2023-33246. CVE-2023-33246 was patched in May 2023 but did not completely solve the vulnerability in the Nameserver component. CVE-2023-33246 was added to the CISA KEV on 06/09/2023.

Note: CVE-2023-37582 has not been added to the CISA KEV. Since it is the same component that is still vulnerable, we assume that this vulnerability is actively exploited as well. This assumption is supported by info from The ShadowServer Foundation that has logged hundreds of hosts scanning and exploitation attempts for exposed RocketMQ systems.

Description

Apache RocketMQ is a cloud-native "messaging, eventing, streaming" real-time data processing platform, covering cloud-edge-device.

CVE-2023-37582 is a vulnerability that affects the RocketMQ NameServer component. The same vulnerability was already mentioned in CVE-2023-33246. The patch that the vendor provided did not fully fix the vulnerability in the NameServer component.

An attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. This can only be done under specific conditions:

  • NameServer addresses are leaked on the extranet
  • NameServer addresses lack permission verification

Affected versions:

  • Apache RocketMQ 5.0.0 through 5.1.1 - Apache RocketMQ through 4.9.6

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The patched versions are the following:

  • NameServer version to 5.1.2 or above for RocketMQ 5.x
  • NameServer version 4.9.7 or above for RocketMQ 4.x

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/

https://nvd.nist.gov/vuln/detail/CVE-2023-33246

https://nvd.nist.gov/vuln/detail/CVE-2023-37582