TCP: Apache RocketMQ Remote Code Execution
This signature detects attempts to exploit a known vulnerability against Apache RocketMQ. A successful attack can lead to arbitrary code execution.
Extended Description
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or abovefor using RocketMQ 5.xor 4.9.6 or above for using RocketMQ 4.x .
Affected Products
Apache rocketmq
References
CVE: CVE-2023-33246
URL: https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
Short Name
TCP:C2S:APACHE-ROCKETMQ-UPDT-CE
Severity
Major
Recommended
True
Recommended Action
Drop
Category
TCP
Keywords
Apache CVE-2023-33246 Code Execution Remote RocketMQ
Release Date
06/06/2023
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3783
Port
TCP/10909,10911,10912,9876
False Positive
Unknown
Vendors
Apache