CVE-2023-37582: Apache RocketMQ: Possible remote code execution when using the update configuration function
First published: Wed Jul 12 2023(Updated: )
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.rocketmq:rocketmq-namesrv | >=5.0.0<5.1.2 | 5.1.2 |
| maven/org.apache.rocketmq:rocketmq-namesrv | <4.9.7 | 4.9.7 |
| Apache RocketMQ | <=4.9.6 | |
| Apache RocketMQ | >=5.0.0<=5.1.1 | |
| Apache RocketMQ | =5.1 | |
| Apache RocketMQ | =4.9.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37582
- https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
- http://www.openwall.com/lists/oss-security/2023/07/12/1
- https://github.com/advisories/GHSA-gpq8-963w-8qc9 (Advisory)
Frequently Asked Questions
What is CVE-2023-37582?
CVE-2023-37582 is a vulnerability in Apache RocketMQ that allows for possible remote code execution when using the update configuration.
How severe is CVE-2023-37582?
CVE-2023-37582 has a severity rating of critical.
Which software versions are affected by CVE-2023-37582?
Versions 5.0.0 to 5.1.1 of Apache RocketMQ and versions up to 4.9.6 are affected by CVE-2023-37582.
How can I fix CVE-2023-37582?
To fix CVE-2023-37582, update Apache RocketMQ to version 5.1.2 or later.
Where can I find more information about CVE-2023-37582?
You can find more information about CVE-2023-37582 on the Apache mailing list, Openwall mailing list, and NIST Vulnerability Database.
- collector/oss-sec
- alias/CVE-2023-37582
- collector/github-advisory-latest
- alias/GHSA-gpq8-963w-8qc9
- collector/github-advisory
- collector/nvd-latest
- collector/nvd-index
- collector/nvd-cve
- zeroday/true
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/references
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/maven
- vendor/apache
- canonical/apache rocketmq
- version/apache rocketmq/4.9.6
- version/apache rocketmq/5.0.0
- version/apache rocketmq/5.1.1
- version/apache rocketmq/5.1
- version/apache rocketmq/4.9.7