Security researchers have observed a surge in IP addresses scanning or attempting to exploit Apache RocketMQ services that are susceptible to a remote command execution flaw, identified as CVE-2023-33246 and CVE-2023-37582. These vulnerabilities, which are of critical severity, stayed active despite the vendor's initial patch in May 2023. The security issue, initially tracked as CVE-2023-33246, impacted several components of RocketMQ, including NameServer, Broker, and Controller.
Apache had released a patch that was insufficient for the NameServer component in RocketMQ, affecting versions 5.1 and older of the distributed messaging and streaming platform. Rongtong Jin, a member of the Apache RocketMQ Project Management Committee, warned, "The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1."
Attackers can exploit this vulnerability to execute commands by using the update configuration function on the NameServer when its address is exposed online without proper permission checks. As explained by Jin, who also serves as a research and development engineer at Alibaba, "When NameServer addresses are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as."
This issue is now referred to as CVE-2023-37582. To protect against attacks exploiting the vulnerability, it is advised to upgrade the NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x. The ShadowServer Foundation, a threat tracking platform, has recorded hundreds of hosts scanning for exposed RocketMQ systems online, with some attempting to exploit the two vulnerabilities.
The ShadowServer Foundation suggests that the activity they observe could be reconnaissance attempts from potential attackers, exploitation efforts, or even researchers scanning for exposed endpoints. Since August 2023, hackers have been targeting vulnerable Apache RocketMQ systems, with the DreamBus botnet leveraging a CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers. In September 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to patch the flaw by the end of the month, highlighting its active exploitation status.