Missing authorization in IBM Instana Observability
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-33246 |
| CWE-ID | CWE-862 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software Subscribe |
IBM Observability with Instana Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Missing Authorization
EUVDB-ID: #VU76462
Risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2023-33246
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
Install update from vendor's website.
Vulnerable software versionsIBM Observability with Instana: before 255
External linkshttp://www.ibm.com/support/pages/node/7114756
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
