CVE-2023-33246
Published: 24 May 2023
Summary
CVE-2023-33246 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Rocketmq. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2023-33246 is a remote code execution vulnerability affecting Apache RocketMQ versions 5.1.0 and earlier. It stems from exposed NameServer, Broker, and Controller components that lack authentication and authorization checks, combined with an unauthenticated update configuration function and the ability to forge RocketMQ protocol messages. The flaw is classified under CWE-94 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker who can reach the affected components over the network can invoke the configuration update mechanism or craft malicious protocol packets to execute arbitrary commands with the privileges of the user running RocketMQ. This grants full control over the message-broker processes and any data or systems they can access.
Apache advisories and the referenced OSS-Security disclosure recommend immediate upgrade to RocketMQ 5.1.1 or newer for the 5.x branch and 4.9.6 or newer for the 4.x branch. Public exploit code has been posted to Packet Storm, and the vulnerability appears on the oss-security mailing list.
The associated EPSS score remains persistently high, with a current value of 0.9439 and a recorded peak of 0.9736.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2175
Vulnerability details
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this…
more
vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
- CWE(s)
- KEV Date Added
- 06 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on NameServer/Broker/Controller updateConfig and protocol handlers, blocking the unauthenticated command execution path.
Requires boundary protection devices and deny-by-default policies so that RocketMQ components are never reachable from the extranet without explicit, controlled interfaces.
Mandates authorization, encryption, and monitoring for all remote access to RocketMQ services, eliminating the open extranet exposure that enables the attack.