CVE-2023-33246: 
Java vulnerability analysis and mitigation

Apache RocketMQ versions 5.1.0 and below contain a critical remote command execution vulnerability (CVE-2023-33246). Several components of RocketMQ, including NameServer, Broker, and Controller, are exposed on the extranet without proper permission verification. The vulnerability was discovered in May 2023 and affects all versions up to RocketMQ 5.1.0 and 4.9.5 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows attackers to exploit the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, attackers can achieve the same effect by forging the RocketMQ protocol content (NVD, Vicarius).

The vulnerability enables attackers to execute arbitrary commands with the same system privileges as the RocketMQ service. This could lead to complete system compromise, allowing attackers to access, modify, or delete sensitive data, and potentially use the compromised system as a foothold for further network intrusion (NVD).

Users are recommended to upgrade to RocketMQ version 5.1.1 or above for those using RocketMQ 5.x, or version 4.9.6 or above for those using RocketMQ 4.x. These versions contain the necessary security fixes to address the vulnerability (NVD).

The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog on September 6, 2023, with a remediation due date of September 27, 2023. Federal agencies were required to apply vendor-provided mitigations or discontinue product use if mitigations were unavailable (NVD).