Apache RocketMQ Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Apache RocketMQ versions 5.1.0 and prior, as well as in versions through 4.9.5. This vulnerability arises from several components, including NameServer, Broker, and Controller, being exposed to the extranet without proper permission verification. Attackers can exploit this flaw by using the update configuration function to execute commands as the system user under which RocketMQ is running. Additionally, the vulnerability can be exploited by forging content that adheres to the RocketMQ protocol.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running as the system user that RocketMQ operates under.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the RocketMQ Broker component on the default Broker port (10911). The request must include a payload that exploits the lack of permission verification in the 'update configuration' function. This can be done using the Metasploit module available in the Metasploit Framework.

Remediation

Users are advised to upgrade to Apache RocketMQ versions 5.1.1 or 4.9.6 and above. For RocketMQ 5.x, upgrade to version 5.1.2 or above. Consult the Apache RocketMQ Security Advisory for more details.