A vulnerability (CVE-2023-33246 and CVE-2023-37582) has been found in Apache RocketMQ servers, exposing the servers to remote command execution (RCE) attacks. Despite a patch released by Apache in May 2023, the issue persists, affecting NameServer, Broker, and Controller components.
CVE-2023-33246 initially impacted multiple components, with the NameServer component remaining vulnerable in RocketMQ versions 5.1 and older. The NameServer component still harbors a remote command execution flaw. Attackers can exploit this vulnerability by utilizing the update configuration function on exposed NameServers without proper permission checks.
CVE-2023-37582 stems from incomplete fixes, which means that users should upgrade the NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to mitigate potential attacks.
Organizations using Apache RocketMQ need to immediately address these vulnerabilities by upgrading their NameServer to the recommended versions. Failing to do so may expose systems to unauthorized command execution, which will lead to compromise.
overview
A critical vulnerability tracked as CVE-2023-33246 was found in Apache RocketMQ – a messaging and streaming platform used by enterprises. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical security alert, highlighting the vulnerability and its severity.
CVE-2023-33246 has a CVSS score of 9.8 and has been exploited by multiple threat actors in the wild. The bug is a command execution vulnerability and impacts Apache RocketMQ versions 5.1.0 and earlier. Also, the National Institute of Standards and Technology (NIST) stated that various parts of RocketMQ, such as NameServer, Broker, and Controller, are unintentionally exposed on the external network without proper permission checks. This means that a malicious attacker could take advantage of this weakness by using the update configuration feature to execute commands as if they were the system users running RocketMQ. Since at least June, threat actors, specifically those behind the DreamBus botnet, have utilized this vulnerability to deploy a Monero cryptocurrency miner.
CISA has advised that federal agencies take immediate action by patching CVE-2023-33246 in their Apache RocketMQ installations, with a deadline set for September 27. In cases where applying the patch or implementing mitigation measures is not feasible, CISA recommends discontinuing the use of the product.
Previous versions of the DreamBus malware have been observed targeting various software applications, including Redis, PostgreSQL, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack. It is strongly advised to keep all the mentioned software products updated.
INDICATORS OF COMPROMISE (IoCs)
Note: The following IoCs have been added to our standard threat lists.
Hashes
IP Addresses
SUPPORTING DOCUMENTATION