hacats commented on issue #7542: URL: https://github.com/apache/rocketmq/issues/7542#issuecomment-1798266284
+1 这是一个安全问题,我们的安全部门多次向我们报告了`nameserver`未授权修改配置漏洞,我们研发侧是难以解决的 虽然你们的`CVE-2023-37582`修复代码禁止了关键属性,但是其他属性被黑客恶意修改,可能导致服务不可用,使用`mqadmin`修改的数据包抓一下就能获得报文,比如修改线程数为1,容量为1,或者关闭某些flag导致服务不可用 这个问题是需要尽快解决的 This is a security issue, and our security department has repeatedly reported to us the 'nameserver' unauthorized configuration modification vulnerability, which is difficult for our research and development team to solve Although your 'CVS 2023 37582' fix code prohibits key attributes, other attributes have been maliciously modified by hackers, which may cause the service to be unusable. Use the 'mqadmin' modified packet to grab the message and obtain it, such as modifying the number of threads to 1 and the capacity to 1, or closing certain flags to cause the service to be unusable This problem needs to be resolved as soon as possible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@rocketmq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
