CVE-2023-37582: 
Java vulnerability analysis and mitigation

The RocketMQ NameServer component contains a remote command execution vulnerability (CVE-2023-37582) that persisted after an incomplete fix of CVE-2023-33246 in version 5.1.1. This vulnerability affects Apache RocketMQ versions 5.0.0 through 5.1.1 and versions up to 4.9.6. The vulnerability was discovered in July 2023 and received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability exists in the NameServer component's update configuration function. When NameServer addresses are exposed to the extranet without proper permission verification, attackers can exploit this vulnerability to execute commands with the same system user privileges as RocketMQ. The vulnerability is particularly severe with a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

According to security researchers, this vulnerability allows attackers to execute arbitrary commands as the system users that RocketMQ operates under. The vulnerability has been observed being exploited in the wild to install malware, including the DreamBus bot. Wiz research indicates that less than 1% of cloud environments have publicly exposed instances vulnerable to this exploit (Wiz).

Users are strongly advised to upgrade their NameServer version to mitigate this vulnerability. For RocketMQ 5.x users, upgrading to version 5.1.2 or above is recommended. Users of RocketMQ 4.x should upgrade to version 4.9.7 or above (NVD).