Summary
On May 23, 2023, Apache patched a critical-severity remote code execution (RCE) vulnerability in Apache RocketMQ. Several components of RocketMQ, including the NameServer, Broker, and Controller, are exposed to the Internet and do not have permission verification. A threat actor could exploit CVE-2023-33246 by forging the RocketMQ protocol content or using the update configuration function to execute commands as the system users that RocketMQ is running as.
Multiple threat actors have actively exploited this vulnerability since at least June 2023 to obtain initial access and deploy DreamBus, a Linux-based botnet. Shortly after, CISA added the vulnerability to their Known Exploited Vulnerabilities catalog.
Recommendations for CVE-2023-33246
Upgrade to a Patched Version of RocketMQ
Arctic Wolf strongly recommends upgrading to a patched version of RocketMQ.
Product |
Vulnerable Version |
Fixed Version |
---|---|---|
Apache RocketMQ |
RocketMQ through 5.1.0 |
5.1.1 or above |
Apache RocketMQ |
RocketMQ through 4.9.5 |
4.9.6 or above |
Please follow your organization’s patching and testing guidelines to avoid operational impact.