The US government has issued an order for federal civilian agencies to address a critical vulnerability in Apache RocketMQ [4], a distributed messaging and streaming platform [3] [5] [6]. This vulnerability allows threat actors to execute commands and forge RocketMQ protocol content [4], and it is currently being actively exploited.
Description
The vulnerability, known as CVE-2023-33246 [3], does not require authentication and has a CVSS rating of 9.8. It affects versions 5.1.0 and below of the messaging platform [4]. The Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies and businesses to patch the vulnerability by September 27th or discontinue its use if updating is not possible [3].
The DreamBus botnet operators are among the threat actors exploiting this vulnerability. Juniper Networks reported that the vulnerability has been exploited in a series of attacks since June [4], with the DreamBus bot being installed for Monero cryptocurrency mining [4]. A cybersecurity researcher discovered approximately 4,500 systems with the RocketMQ Nameserver port exposed online [3] [5], indicating potential targets [3]. Threat intelligence firm VulnCheck also detected around 4500 potentially exposed Apache RocketMQ systems [4], but noted that many may be honeypots [4].
Apache has released an update [3], version 5.1.1 [1] [4], to address the vulnerability and advises users to upgrade for protection. The U.S. [3] [4] [5] [6] National Institute of Standards and Technology (NIST) confirms that forging the RocketMQ protocol content can also lead to exploitation [3]. The US CISA has added this critical vulnerability to its Known Exploited Vulnerabilities catalog [2], highlighting the exposure of several components of Apache RocketMQ to the extranet without permission verification [2].
Conclusion
It is crucial for federal agencies and businesses to promptly patch the vulnerability in Apache RocketMQ to prevent further exploitation. The active exploitation of this vulnerability by threat actors, such as the DreamBus botnet operators, poses significant risks, including unauthorized command execution and content forgery. Upgrading to version 5.1.1 or above is recommended for protection. The inclusion of this vulnerability in the Known Exploited Vulnerabilities catalog by the US CISA underscores the importance of addressing this issue promptly.
References
[1] https://secoperations.wordpress.com/2023/09/10/us-cisa-added-critical-apache-rocketmq-flaw-to-its-known-exploited-vulnerabilities-catalog/
[2] https://allinfosecnews.com/item/us-cisa-added-critical-apache-rocketmq-flaw-to-its-known-exploited-vulnerabilities-catalog-2023-09-09/
[3] https://heimdalsecurity.com/blog/rocketmq-vulnerability/
[4] https://www.infosecurity-magazine.com/news/cisa-critical-rocketmq-bug/
[5] https://cyber.vumetric.com/security-news/2023/09/07/cisa-warns-of-critical-apache-rocketmq-bug-exploited-in-attacks/
[6] https://www.redpacketsecurity.com/cisa-warns-of-critical-apache-rocketmq-bug-exploited-in-attacks/