1. Summary
| Vulnerability Name |
Apache RocketMQ Remote Command Execution Vulnerability (CVE-2023-37582) |
|---|---|
| Release Date |
July 17, 2023 |
| Component Name |
Apache RocketMQ NameServer |
| Affected Versions |
Apache RocketMQ ≤ 4.9.6 |
| Vulnerability Type |
CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Severity |
CVSS v3 Base Score: 9.8 (Critical) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About the Vulnerability CVE-2023-37582
2.1 About the Component
Apache RocketMQ is an open-source messaging platform for high-throughput, low-latency messaging applications. The NameServer component in Apache RocketMQ is a crucial part of the messaging platform's infrastructure. It acts as a centralized registry service that manages and coordinates the entire messaging system.
2.2 About the Vulnerability
On July 17, 2023, Sangfor FarSight Labs received notification about a remote command execution vulnerability in the Apache RocketMQ, identified as CVE-2023-37582, with a severity rating of Critical (CVSS Score 9.8). Previously, the RocketMQ NameServer component had a remote command execution vulnerability (CVE-2023-33246) issue, which was not completely fixed in version 5.1.1.
This vulnerability can be exploited when the IP address of the NameServer is exposed or leaked on the extranet/internet, and it lacks effective authentication measures. An unauthorized attacker can exploit this flaw via the update configuration function of the NameServer component, crafting malicious requests to modify configurations, and consequently gaining the ability to execute arbitrary commands as the system user.
3. Affected Versions
Apache RocketMQ ≤ 4.9.6
5.0.0 ≤ Apache RocketMQ ≤ 5.1.1
4.Solutions
4.1 Apache Solution
4.1.1 Check the Component Version
To check the version of the component, execute the following command in the root directory:
sh bin/mqadmin --version
4.1.2 Version Upgrade
Apache has released an updated version of RocketMQ to fix the vulnerability, and users are recommended to upgrade as quickly as possible. Link: https://rocketmq.apache.org/download/
(For Apache RocketMQ 5.x, upgrade to 5.1.2 or above. For Apache RocketMQ 4.x, upgrade to 4.9.7 or above.)
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Apache RocketMQ remote command execution vulnerability (CVE-2023-37582):
- Sangfor Cyber Command (Network Detection & Response)
- Sangfor Cyber Guardian (Managed Detection and Response Service)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Apache RocketMQ remote command execution vulnerability (CVE-2023-37582):
- Sangfor NGAF (Next Generation Firewall)
- Sangfor Cyber Guardian (Managed Detection and Response Service)
5. Timeline
On July 17, 2023, Sangfor FarSight Labs received a notification about the Apache RocketMQ Remote Command Execution Vulnerability (CVE-2023-37582).
On July 17, 2023, Sangfor FarSight Labs released a vulnerability alert.
On July 24, 2023, Sangfor FarSight Labs updated the vulnerability alert with remediation solutions.
6. Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-37582
https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
