Apache RocketMQ may have remote code execution vulnerability when using update configuration function

2023-07-0621:15:04

CWE-94

GitHub Advisory Database

github.com

apache rocketmq

remote code execution

vulnerability

update configuration

version 5.x

version 4.x

permission verification

rocketmq protocol

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.973 High

EPSS

Percentile

99.9%

JSON

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.

Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

Affected configurations

Vulners

Node

org.apache.rocketmq\rocketmqMatchnamesrv

org.apache.rocketmq\rocketmqMatchcontroller

org.apache.rocketmq\rocketmqMatchnamesrv

org.apache.rocketmq\rocketmqMatchbroker

CPENameOperatorVersion
org.apache.rocketmq:rocketmq-namesrvlt5.1.1
org.apache.rocketmq:rocketmq-controllerlt5.1.1
org.apache.rocketmq:rocketmq-namesrvlt4.9.6
org.apache.rocketmq:rocketmq-brokerlt5.1.1

Name	Operator	Version
org.apache.rocketmq:rocketmq-namesrv	lt	5.1.1
org.apache.rocketmq:rocketmq-controller	lt	5.1.1
org.apache.rocketmq:rocketmq-namesrv	lt	4.9.6
org.apache.rocketmq:rocketmq-broker	lt	5.1.1