Brother
Professional
- Messages
- 2,590
- Reaction score
- 500
- Points
- 83
Who is looking for vulnerable Apache systems and why?
The ShadowServer platform detects hundreds of IP addresses every day that scan or attempt to use Apache RocketMQ services containing Remote Code Execution (RCE) vulnerabilities identified as CVE-2023-33246 and CVE-2023-37582. Both vulnerabilities are critical and relate to an issue that remained active after the first patch released by the vendor in May 2023.
Initially, the security issue was tracked as CVE-2023-33246 (CVSS score: 9.8) and affected several components, including NameServer, Broker, and Controller. Apache released a fix, but it was incomplete for the NameServer component in RocketMQ, and the bug continued to affect versions 5.1 and earlier.
The Apache RocketMQ NameServer, Broker, and Controller components are accessible from the extranet and do not have permission checks. A cybercriminal can use the vulnerability to execute arbitrary commands on behalf of the user of the system running RocketMQ. A hacker can cause an error by using the configuration update function or by tampering with the contents of the RocketMQ protocol.
The issue now has the ID CVE-2023-37582 (CVSS score: 9.8). Users are advised to upgrade NameServer to version 5.1.2/4.9.7 or higher for RocketMQ 5. x/4. x to avoid attacks that exploit this vulnerability.
The ShadowServer Foundation has registered more than 500 hosts scanning Internet-accessible RocketMQ systems, some of them trying to exploit two vulnerabilities. Most of the detected hosts are located in the United States, China, Thailand, and the United Kingdom. ShadowServer states that the observed activity may be part of exploration attempts, exploits, or activities of researchers scanning open endpoints.
Hackers have been attacking vulnerable Apache RocketMQ systems since at least August 2023, when a new version of the DreamBus botnet was spotted using the CVE-2023-33246 exploit to host XMRig miners on vulnerable servers. In September 2023, the US Cybersecurity and Infrastructure Protection Agency (CISA) called on federal agencies to fix the vulnerability by the end of the month, warning about the status of its active exploitation.
The ShadowServer platform detects hundreds of IP addresses every day that scan or attempt to use Apache RocketMQ services containing Remote Code Execution (RCE) vulnerabilities identified as CVE-2023-33246 and CVE-2023-37582. Both vulnerabilities are critical and relate to an issue that remained active after the first patch released by the vendor in May 2023.
Initially, the security issue was tracked as CVE-2023-33246 (CVSS score: 9.8) and affected several components, including NameServer, Broker, and Controller. Apache released a fix, but it was incomplete for the NameServer component in RocketMQ, and the bug continued to affect versions 5.1 and earlier.
The Apache RocketMQ NameServer, Broker, and Controller components are accessible from the extranet and do not have permission checks. A cybercriminal can use the vulnerability to execute arbitrary commands on behalf of the user of the system running RocketMQ. A hacker can cause an error by using the configuration update function or by tampering with the contents of the RocketMQ protocol.
The issue now has the ID CVE-2023-37582 (CVSS score: 9.8). Users are advised to upgrade NameServer to version 5.1.2/4.9.7 or higher for RocketMQ 5. x/4. x to avoid attacks that exploit this vulnerability.
The ShadowServer Foundation has registered more than 500 hosts scanning Internet-accessible RocketMQ systems, some of them trying to exploit two vulnerabilities. Most of the detected hosts are located in the United States, China, Thailand, and the United Kingdom. ShadowServer states that the observed activity may be part of exploration attempts, exploits, or activities of researchers scanning open endpoints.
Hackers have been attacking vulnerable Apache RocketMQ systems since at least August 2023, when a new version of the DreamBus botnet was spotted using the CVE-2023-33246 exploit to host XMRig miners on vulnerable servers. In September 2023, the US Cybersecurity and Infrastructure Protection Agency (CISA) called on federal agencies to fix the vulnerability by the end of the month, warning about the status of its active exploitation.
