Headline
CVE-2023-46118: Denial of Service by publishing large messages over the HTTP API
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an “out-of-memory killer”-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
Package
Affected versions
< 3.12.6
Patched versions
3.12.7, 3.11.24
Description
Summary
Responsibly disclosed by @NSEcho.
HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.
Details
An authenticated user with sufficient credentials can publish a very large messages over the HTTP API
and cause target node to be terminated by an “out-of-memory killer”-like mechanism.
A PoC was provided to Team RabbitMQ privately.
Impact
Denial of Service
Related news
Red Hat Security Advisory 2024-0217-03 - An update for rabbitmq-server is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5571-1 - It was discovered that missing input sanitising in the HTTP API endpoint of RabbitMQ, an implementation of the AMQP protocol, could result in denial of service.
Ubuntu Security Notice 6501-1 - It was discovered that RabbitMQ incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service.