lca

Product Introduction#

Apache RocketMQ is a lightweight data processing platform and messaging engine developed by the Apache Software Foundation.

Vulnerability Overview#

Apache RocketMQ versions 5.1.0 and earlier are vulnerable to code injection. This vulnerability is due to a remote command execution vulnerability, which allows attackers to execute commands with system user privileges by exploiting the update configuration feature.

Impact#

<5.1.0

Vulnerability Reproduction#

Environment setup:

docker pull apache/rocketmq:4.9.4
# Start nameserver
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.4 sh mqnamesrv
# Start Broker
docker run -d --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -p 10909:10909 -p 10911:10911 -p 10912:10912 apache/rocketmq:4.9.4 sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf

Check for vulnerability using the script

Reverse shell

Listen on port 1234 using nc

Recommended Fixes#

Official patches have been released. Official patch download link: https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

References#

GitHub - I5N0rth/CVE-2023-33246

GitHub - SuperZero/CVE-2023-33246: Apache RocketMQ Remote Code Execution Vulnerability (CVE-2023-33246) Exploit

GitHub - Le1a/CVE-2023-33246: Apache RocketMQ Remote Code Execution Vulnerability (CVE-2023-33246) Exploit

GitHub - Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT: CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit