Recently, Apache officially released a security notice, disclosing a remote code execution vulnerability (CVE-2023-37582) in some versions of Apache RocketMQ. Since the vulnerability CVE-2023-33246 has not been completely fixed. When the NameServer component is exposed on the external network without permission verification, attackers can exploit this vulnerability to update the configuration of the NameServer component and execute commands as a system user of RocketMQ. Currently, the vulnerability exploitation details have been disclosed, and the risk is high.
Apache RocketMQ is an open-source distributed message middleware system that applies to message communication and data synchronization in large-scale distributed systems. If you are an Apache RocketMQ user, check your system and implement timely security hardening.
Reference:
https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
important
(Severity: low, moderate, important, and critical)
Affected versions:
Apache RocketMQ < 4.9.7
Apache RocketMQ < 5.1.2
Secure versions:
Apache RocketMQ 5.x >= 5.1.2
Apache RocketMQ 4.x >= 4.9.7
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
https://rocketmq.apache.org/download/
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.
Get more professional support at any time
Contact Us
