CVE-2019-17572 in RocketMQ
Summary
by MITRE
In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020� is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/15/2020
The vulnerability CVE-2019-17572 represents a critical directory traversal flaw in Apache RocketMQ versions 4.2.0 through 4.6.0 that stems from inadequate input validation during automatic topic creation. This vulnerability occurs when the broker's automatic topic creation feature is enabled by default, allowing malicious clients to exploit the system through crafted topic names that contain directory traversal sequences. The specific malicious topic name "“../../../../topic2020�" demonstrates how specially formatted strings can manipulate the file system path resolution mechanism. When the broker processes this malformed topic name, it fails to properly sanitize the input, resulting in the creation of topic folders in parent directories rather than within the intended namespace. This behavior directly violates the principle of least privilege and creates a significant security risk where unauthorized parties can potentially access or modify files outside the intended topic storage locations. The vulnerability is classified under CWE-22 as Directory Traversal, which is a well-known weakness in software systems that allows attackers to access files and directories outside the intended scope. The operational impact of this vulnerability extends beyond simple file system manipulation as it can enable attackers to potentially overwrite critical system files, access sensitive topic data, or even gain unauthorized access to the underlying file system. This directory traversal vulnerability particularly affects systems where RocketMQ brokers are configured with default settings that enable automatic topic creation, making it a widespread risk across many deployments. The ATT&CK framework categorizes this as a privilege escalation technique through file system manipulation, where attackers leverage the broker's legitimate file creation capabilities to achieve unauthorized access to system resources. The exploitation of this vulnerability requires minimal privileges since it leverages the existing broker functionality rather than requiring additional attack vectors. Organizations using affected versions of Apache RocketMQ face a significant risk of unauthorized file system access and potential data exposure. The vulnerability demonstrates a fundamental flaw in input validation and path resolution within the broker's topic creation logic, where proper sanitization of user-provided topic names is not implemented. The directory traversal occurs at the file system level when the broker attempts to create topic directories, bypassing normal access controls and namespace boundaries that should normally contain topic data within designated storage areas. This flaw essentially allows attackers to write files anywhere within the broker's file system permissions, potentially leading to complete system compromise if the broker process has elevated privileges. The recommended mitigation strategy involves upgrading to Apache RocketMQ version 4.6.1 or later, which includes proper input sanitization and validation mechanisms that prevent the exploitation of directory traversal sequences in topic names. Organizations should also consider implementing additional security controls such as restricting broker permissions, monitoring for unusual topic creation patterns, and applying network segmentation to limit exposure of RocketMQ brokers to untrusted clients. The vulnerability highlights the importance of validating all user inputs, particularly those that influence file system operations, and demonstrates how seemingly benign features like automatic topic creation can become security risks when proper input sanitization is not implemented. System administrators should also review their broker configurations to ensure that automatic topic creation is disabled unless explicitly required, as this significantly reduces the attack surface for this particular vulnerability. The issue represents a classic example of how default configurations can create security risks, as the vulnerability only manifests when the broker is running with its default settings that enable automatic topic creation, making it a particularly insidious threat to poorly configured systems.