InfoSecBulletin Cybersecurity for mankind
Security researchers found that Apache RocketMQ services are being targeted by malicious activities. The vulnerabilities, known as CVE-2023-33246 and CVE-2023-37582, remain a serious threat even after the vendor released patches in May 2023.
Vulnerability Overview:
Eight New ICS Advisories released by CISA
Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI
London-based company “Builder.ai” reportedly exposed 1.2 TB data
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA
CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability
U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports
Daily Security Update Dated: 18.12.2024
CISA released best practices to secure Microsoft 365 Cloud environments
Data breach! Ireland fines Meta $264 million, Australia $50m
The CVE-2023-33246 affected different parts of RocketMQ, such as NameServer, Broker, and Controller. Rongtong Jin, a member of the Apache RocketMQ Project Management Committee, warned about a lasting flaw in the NameServer component of RocketMQ versions 5.1 and older.
The incomplete fix leaves a remote command execution vulnerability, allowing attackers to exploit the update configuration function on exposed NameServers without proper permission checks.
CVE-2023-37582: Unfinished Business:
The problem is the CVE-2023-37582, which is still critical. To prevent attacks, it’s recommended to upgrade NameServer to version 5.1.2/4.9.7 or higher for RocketMQ 5.x/4.x.
The ShadowServer Foundation’s threat intelligence shows a concerning trend: many hosts are actively scanning for online RocketMQ systems. There are exploitation attempts for both CVE-2023-33246 and CVE-2023-37582.
Threat Landscape:
The ShadowServer Foundation has found that there are many different types of threats online. Scanning activities could be used for planning attacks, taking advantage of vulnerabilities, or for genuine research purposes. Hackers have been involved since August 2023, at the same time as the DreamBus botnet started using a vulnerability to install XMRig Monero miners on weak servers.
“The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1,” reads a warning from Rongtong Jin, a member of the Apache RocketMQ Project Management Committee.
