CVE-2023-51653 – This vulnerability in Hertzbeat allows remote c... (How to Fix)

Q: What is the severity of CVE-2023-51653?

CVE-2023-51653 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Hertzbeat allows remote code execution via JNDI injection in the JMX connector implementation. Attackers can exploit the /api/monitor/detect interface by providing a malicious JMX URL, leading to complete system compromise. All Hertzbeat deployments with the vulnerable version are affected.

📋 TL;DR

This vulnerability in Hertzbeat allows remote code execution via JNDI injection in the JMX connector implementation. Attackers can exploit the /api/monitor/detect interface by providing a malicious JMX URL, leading to complete system compromise. All Hertzbeat deployments with the vulnerable version are affected.

💻 Affected Systems

Products:

Hertzbeat

Versions: All versions before 1.4.1

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration when the JMX monitoring feature is enabled.

📦 What is this software?

Hertzbeat by Apache

View all CVEs affecting Hertzbeat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to service disruption, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via HTTP API and requires no authentication for exploitation.

🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious JMX URL but is straightforward for attackers familiar with JNDI injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Stop Hertzbeat service. 3. Update to version 1.4.1 or later. 4. Restart the service. 5. Verify the fix is applied.

🔧 Temporary Workarounds

Disable JMX monitoring endpoint

all

Remove or restrict access to the vulnerable /api/monitor/detect endpoint

Configure web server/application firewall to block /api/monitor/detect

Network segmentation

linux

Restrict network access to Hertzbeat instance

iptables -A INPUT -p tcp --dport [hertzbeat-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [hertzbeat-port] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Hertzbeat instance
Deploy a WAF with rules to detect and block JNDI injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if Hertzbeat version is below 1.4.1 and the /api/monitor/detect endpoint is accessible

Check Version:

Check application logs or run: java -jar hertzbeat.jar --version

Verify Fix Applied:

Confirm version is 1.4.1 or higher and test that JNDI injection attempts are rejected

📡 Detection & Monitoring

Log Indicators:

JNDI lookup attempts in logs
JMX connection attempts with suspicious URLs
Unexpected process execution

Network Indicators:

HTTP POST requests to /api/monitor/detect with JMX URLs
Outbound LDAP/RMI connections from Hertzbeat

SIEM Query:

source="hertzbeat" AND (uri="/api/monitor/detect" AND (url="*jndi*" OR url="*rmi://*" OR url="*ldap://*"))

📊 Metadata

CVE ID: CVE-2023-51653

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: February 22, 2024

Last Updated: January 16, 2025

🔗 References

https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg Exploit,Vendor Advisory
https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51653, you might also want to check these: