CVE-2023-33246

Name of the Vulnerable Software and Affected Versions Apache RocketMQ versions 5.1.0 and below Apache RocketMQ versions prior to 4.9.6

Description The vulnerability is related to a permission verification issue in Apache RocketMQ, allowing attackers to perform remote command execution under certain conditions. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, enabling an attacker to exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. The vulnerability is being actively exploited in attacks, and it is recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x.

Recommendations For Apache RocketMQ versions 5.1.0 and below, upgrade to version 5.1.1 or above. For Apache RocketMQ versions prior to 4.9.6, upgrade to version 4.9.6 or above.