CVE-2024-23321 – This vulnerability in Apache RocketMQ allows au... (How to Fix)

Q: What is the severity of CVE-2024-23321?

CVE-2024-23321 has a CVSS score of 8.8 (HIGH). This vulnerability in Apache RocketMQ allows authenticated users or IP whitelisted actors to obtain administrator credentials through specific interfaces. Attackers with regular user privileges can gain full administrative control over RocketMQ systems. This affects all RocketMQ versions 5.2.0 and below with authentication enabled.

📋 TL;DR

This vulnerability in Apache RocketMQ allows authenticated users or IP whitelisted actors to obtain administrator credentials through specific interfaces. Attackers with regular user privileges can gain full administrative control over RocketMQ systems. This affects all RocketMQ versions 5.2.0 and below with authentication enabled.

💻 Affected Systems

Products:

Apache RocketMQ

Versions: All versions ≤ 5.2.0

Operating Systems: All platforms running RocketMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable even when authentication and authorization functions are enabled. Requires attacker to have regular user access or be in IP whitelist.

📦 What is this software?

Rocketmq by Apache

View all CVEs affecting Rocketmq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of RocketMQ infrastructure, allowing attackers to read/write all messages, modify configurations, and potentially pivot to connected systems.

🟠

Likely Case

Unauthorized access to sensitive message data, configuration tampering, and privilege escalation within the RocketMQ environment.

🟢

If Mitigated

Limited impact if proper network segmentation and monitoring are in place, but credential exposure still poses significant risk.

🌐 Internet-Facing: HIGH - If RocketMQ brokers are internet-accessible, attackers can exploit this to gain full control.

🏢 Internal Only: MEDIUM - Internal attackers with user access can escalate to admin privileges and compromise the messaging system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access or IP whitelist inclusion. Specific interfaces mentioned but not detailed in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.0 or newer

Vendor Advisory: https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830

Restart Required: Yes

Instructions:

1. Download RocketMQ 5.3.0+ from Apache website. 2. Stop all RocketMQ services. 3. Backup configuration and data. 4. Install new version. 5. Migrate to RocketMQ ACL 2.0. 6. Restart services. 7. Verify functionality.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to RocketMQ interfaces to only trusted networks and users

iptables -A INPUT -p tcp --dport 9876 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 9876 -j DROP

Enhanced Monitoring

all

Monitor for unusual authentication attempts and credential access patterns

🧯 If You Can't Patch

Implement strict network segmentation to limit access to RocketMQ brokers
Enable detailed audit logging and monitor for credential access attempts

🔍 How to Verify

Check if Vulnerable:

Check RocketMQ version and verify if ≤ 5.2.0. Review if authentication is enabled but still vulnerable to credential exposure.

Check Version:

grep 'rocketmq.version' rocketmq-all-*.jar/META-INF/maven/org.apache.rocketmq/rocketmq-all/pom.properties

Verify Fix Applied:

Verify version is ≥ 5.3.0 and RocketMQ ACL 2.0 is properly configured. Test that regular users cannot access admin credentials.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts from regular users
Admin credential access from non-admin accounts
Failed authorization attempts followed by successful admin actions

Network Indicators:

Unusual API calls to credential-related endpoints
Traffic patterns suggesting credential harvesting

SIEM Query:

source="rocketmq.logs" AND ("admin" AND "credential" OR "password" AND "exposure")

📊 Metadata

CVE ID: CVE-2024-23321

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: July 22, 2024

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/22/1 Mailing List
https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/07/22/1 Mailing List
https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23321, you might also want to check these: