cnvd - cnvd-2023-70283

cnvd-2023-70283

Vulnerability from cnvd

Title: Apache RocketMQ代码注入漏洞

Description:

Apache RocketMQ是美国阿帕奇（Apache）基金会的一款轻量级的数据处理平台和消息传递引擎。

Apache RocketMQ存在代码注入漏洞，该漏洞源于NameServer地址在外网泄露且缺乏权限验证，攻击者可利用该漏洞导致NameServer组件存在远程命令执行。

Severity: 高

Patch Name: Apache RocketMQ代码注入漏洞的补丁

Patch Description:

Apache RocketMQ是美国阿帕奇（Apache）基金会的一款轻量级的数据处理平台和消息传递引擎。

Apache RocketMQ存在代码注入漏洞，该漏洞源于NameServer地址在外网泄露且缺乏权限验证，攻击者可利用该漏洞导致NameServer组件存在远程命令执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-37582

Impacted products

Name
['Apache RocketMQ >=5.0.0，<=5.1.1', 'Apache RocketMQ <=4.9.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-37582",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-37582"
    }
  },
  "description": "Apache RocketMQ\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684\u6570\u636e\u5904\u7406\u5e73\u53f0\u548c\u6d88\u606f\u4f20\u9012\u5f15\u64ce\u3002\n\nApache RocketMQ\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eNameServer\u5730\u5740\u5728\u5916\u7f51\u6cc4\u9732\u4e14\u7f3a\u4e4f\u6743\u9650\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4NameServer\u7ec4\u4ef6\u5b58\u5728\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-70283",
  "openTime": "2023-09-21",
  "patchDescription": "Apache RocketMQ\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684\u6570\u636e\u5904\u7406\u5e73\u53f0\u548c\u6d88\u606f\u4f20\u9012\u5f15\u64ce\u3002\r\n\r\nApache RocketMQ\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eNameServer\u5730\u5740\u5728\u5916\u7f51\u6cc4\u9732\u4e14\u7f3a\u4e4f\u6743\u9650\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4NameServer\u7ec4\u4ef6\u5b58\u5728\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache RocketMQ\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache RocketMQ \u003e=5.0.0\uff0c\u003c=5.1.1",
      "Apache RocketMQ \u003c=4.9.6"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-37582",
  "serverity": "\u9ad8",
  "submitTime": "2023-07-14",
  "title": "Apache RocketMQ\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2023-37582 (GCVE-0-2023-37582)

Vulnerability from cvelistv5

Published

2023-07-12 09:26

Modified

2025-04-23 16:20

Severity ?

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

References

▼	URL	Tags
	https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/07/12/1

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache RocketMQ	Version: 5.0.0 Version: 0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:16:30.839Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-37582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:27:22.203941Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:20:32.805Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache RocketMQ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "5.1.1",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "4.9.6",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "soreatu@gmail.com"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "yuansec@outlook.com"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. \u003cbr\u003e\u003cbr\u003eWhen NameServer address \u003c/span\u003eare leaked on the extranet and lack permission verification, a\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003en attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. \u003cbr\u003e\u003cbr\u003eIt is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. \n\nWhen NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. \n\nIt is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-12T09:30:10.439Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/07/12/1"
        }
      ],
      "source": {
        "defect": [
          "https://github.com/apache/rocketmq/pull/6843"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache RocketMQ: Possible remote code execution when using the update configuration function",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-37582",
    "datePublished": "2023-07-12T09:26:18.652Z",
    "dateReserved": "2023-07-09T11:28:58.413Z",
    "dateUpdated": "2025-04-23T16:20:32.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted