Active Exploitation of Apache RocketMQ updateConfig Command Execution Vulnerability (CVE-2023-33246)

Fortiguard Security Advisory

What is VMware Apache RocketMQ?

Apache RocketMQ is an open-source distributed messaging middleware developed by the Alibaba. It was later donated to Apache.

What is the Attack?

CVE-2023-33246 is a command injection vulnerability that affects Apache RocketMQ versions 5.1 and lower. Successful exploitation of the vulnerability allows a remote attacker to execute commands as the system user under which RocketMQ is running by using the update configuration function.

Why is this Significant?

This is significant because CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available. As such, attacks that leverage the vulnerability are expected to increase.

FortiGuard Labs advises that the patch should be applied as soon as possible.

What is the Vendor Solution?

Apache released RocketMQ version 5.1.1 on May 19th, 2023 to address the issue.

What FortiGuard Coverage is available?

FortiGuard Labs has released a new IPS signature “Apache.RocketMQ.updateConfig.Command.Execution” in version 24.593. For a full comprehensive lists of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details.