Apache RocketMQ Remote Code Execution Vulnerability (CVE-2023-37582)

Jul 17, 2023 GMT+08:00

I. Overview

Recently, Apache officially released a security notice, disclosing a remote code execution vulnerability (CVE-2023-37582) in some versions of Apache RocketMQ. Since the vulnerability CVE-2023-33246 has not been completely fixed. When the NameServer component is exposed on the external network without permission verification, attackers can exploit this vulnerability to update the configuration of the NameServer component and execute commands as a system user of RocketMQ. Currently, the vulnerability exploitation details have been disclosed, and the risk is high.

Apache RocketMQ is an open-source distributed message middleware system that applies to message communication and data synchronization in large-scale distributed systems. If you are an Apache RocketMQ user, check your system and implement timely security hardening.

References:

https://www.cve.org/CVERecord?id=CVE-2023-37582

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache RocketMQ < 4.9.7

Apache RocketMQ < 5.1.2

Secure versions:

Apache RocketMQ 5.x >= 5.1.2

Apache RocketMQ 4.x >= 4.9.7

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://rocketmq.apache.org/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.