The US government has ordered all federal civilian agencies to patch a critical vulnerability in Apache RocketMQ, which is currently being exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-33246 to its Known Exploited Vulnerabilities Catalog. It means government agencies have until September 27 to apply a vendor patch to affected systems, although private enterprises are encouraged to follow suit.
The bug affects versions 5.1.0 and below of the popular distributed messaging and streaming platform. It has been given a CVSS rating of 9.8.
“Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as,” explained NIST in an advisory.
“Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x.”
Last month, Juniper Networks reported that the remote code execution vulnerability was being exploited in a “series of attacks” that date back to June. The software flaw was publicly disclosed in May.
The security and networking vendor said it detected several of these campaigns exploiting CVE-2023-33246 to install the DreamBus bot for Monero cryptocurrency mining.
Threat intelligence firm VulnCheck said it used Censys to detect around 4500 potentially exposed Apache RocketMQ systems.
“However, the extreme concentration of systems in one country does call into question how many of these may be honeypots,” it added.