An arbitrary code injection vulnerability has been discovered to affect RocketMQ 5.1.0 and lesser versions. The vulnerability which has been leaked on the web, is discovered to lack permission verification.
The exploit which allows a threat actor to run an update configuration function, to execute commands if the system runs RocketMQ. This allows the attacker to achieve the same effect by forging the RocketMQ protocol content.
WHAT IS Apache RocketMQ
It is an open-source messaging streaming middleware with low latency, and high performance; that was developed by Alibaba, and donated to Apache.
Image source: Google
The attack which is a command injection type, affects Apache RocketMQ version 5.1 and below. The successful exploit of the vulnerability, allows the attacker to remotely execute commands, as the system user, under which RocketMQ is running; using update configuration function.
The exploit which affects several components such as Nameserver, Broker, and controller, which is leaked on the web, lacks permission verification. This allows attacker to exploit this vulnerability using the update configuration function to execute commands as the legitimate user of the system running the RocketMQ messaging application.
CVSS Severity & Metrics
The severity and metrics have a CVE-2023-33246 and a base score of 9.8, which is considered high. The vulnerability is said to impact the TRIAD of cybersecurity.
Image source: nist.gov
Proof of Concept
It is noted that the proof of concept (POC) of the code which is on the web, enabling the attacks that will leverage the vulnerability to be on the rise. Hence, users are advised to apply security updates and patches as soon as possible.
Image source: Malayke
Apache has released a new version of RocketMQ v5.1.1 on may 19th, 2023 in other to address the vulnerability.
Please do let us know in the comment section what are your thoughts about this.