Home
Mapping Frameworks
Known Exploited Vulnerabilities Home
Apache RocketMQ Command Execution Vulnerability

Known Exploited Vulnerabilities CVE-2023-33246 Mappings

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
CVE-2023-33246	Apache RocketMQ Command Execution Vulnerability	secondary_impact	T1608.001	Upload Malware	Comments This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. References https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 https://arcticwolf.com/resources/blog/cve-2023-33246/
CVE-2023-33246	Apache RocketMQ Command Execution Vulnerability	primary_impact	T1059	Command and Scripting Interpreter	Comments This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. References https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 https://arcticwolf.com/resources/blog/cve-2023-33246/
CVE-2023-33246	Apache RocketMQ Command Execution Vulnerability	exploitation_technique	T1190	Exploit Public-Facing Application	Comments This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. References https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 https://arcticwolf.com/resources/blog/cve-2023-33246/