Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33656: GitHub - emqx/nanomq: An ultra-lightweight and blazing-fast MQTT broker for IoT edge

A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability is located in the file message.c. An attacker could exploit this vulnerability to cause a denial of service attack by causing the program to consume all available memory resources.

CVE
#sql#vulnerability#web#dos#git#acer#auth#docker#ssl

NanoMQ

NanoMQ MQTT Broker (NanoMQ) is a lightweight and blazing-fast MQTT Broker for the IoT Edge platform.

NanoMQ bases on NNG’s asynchronous I/O threading model, with an extension of MQTT support in the protocol layer and reworked transport layer, plus an enhanced asynchronous IO mechanism maximizing the overall capacity.

NanoMQ fully supports MQTT V3.1.1 and MQTT V5.0.

For more information, please visit NanoMQ homepage.

Features

  • Cost-effective on an embedded platform;
  • Fully base on native POSIX. High Compatibility;
  • Pure C implementation. High portability;
  • Fully asynchronous I/O and multi-threading;
  • Good support for SMP;
  • Low latency & High handling capacity;

Get Started****Run NanoMQ using Docker

docker run -d --name nanomq -p 1883:1883 -p 8083:8083 -p 8883:8883 emqx/nanomq:latest

More installation options

If you prefer to install and manage NanoMQ yourself, you can download the lastest version from nanomq.io/downloads.

Run NanoMQ:

nanomq start ## or run nanomq with a specified configuration file nanomq start --conf <config_file>

Build From Source

NanoMQ dedicates to delivering a simple but powerful Messaging Hub on various edge platforms.

With this being said, NanoMQ can run on different architectures such like x86_64 and ARM with minor migration efforts.

To build NanoMQ, requires a C99 compatible compiler and CMake (version 3.13 or newer).

  • It is recommended to compile with Ninja:

    git clone https://github.com/emqx/nanomq.git cd nanomq git submodule update --init --recursive mkdir build && cd build cmake -G Ninja … ninja

  • Or compile with make:

    git clone https://github.com/emqx/nanomq.git cd nanomq git submodule update --init --recursive mkdir build && cd build cmake … make

Build option

There are some configuration options specified using CMake defines in addition to the standard options like CMAKE_BUILD_TYPE:

  • -DNNG_ENABLE_QUIC=ON: to build NanoMQ with QUIC bridging feature
  • -DNNG_ENABLE_TLS=ON: to build with TLS support. (Need to install mbedTLS in advance)
  • -DBUILD_CLIENT=OFF: to disable nanomq tools client suite (including pub / sub / conn )
  • -DBUILD_ZMQ_GATEWAY=ON: to build nanomq_cli with zeromq gateway tool
  • -DBUILD_DDS_PROXY=ON: to build nanomq_cli with dds client ( proxy / sub / pub )
  • -DBUILD_BENCH=ON: to build nanomq_cli mqtt bench
  • -DENABLE_JWT=ON: to build JWT dependency for http server
  • -DNNG_ENABLE_SQLITE=ON: to build nanomq with sqlite support
  • -DBUILD_STATIC_LIB=ON: to build nanomq as a static library
  • -DBUILD_SHARED_LIBS=ON: to build nanomq as a shared library
  • -DDEBUG=ON: to enable debug flag
  • -DASAN=ON: to enable sanitizer
  • -DDEBUG_TRACE=ON: to enable ptrace (ptrace is a mechanism that allows one process to “trace” the execution of another process. The tracer is able to pause execution, and inspect and modify memory and registers in the tracee process)

Resources

  • NanoMQ

    • Blog

    • Official website

  • MQTT Specifications

    • MQTT Version 3.1.1
    • MQTT Version 5.0
    • MQTT SN
    • Unsupport features of MQTT 5.0
      • Auth https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901217
      • Server Redirection https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901255
  • MQTT Client Examples

    • MQTT-Client-Examples
  • MQTT Client SDK

    • NanoSDK
  • Internet of Vehicles

    • Internet of Vehicles. Build a reliable, efficient, and industry-specific IoV platform based on EMQ’s practical experience, from theoretical knowledge such as protocol selection to practical operations like platform architecture design.
  • DDS

    • CycloneDDS
    • DDS proxy on NanoMQ_CLI

Get Involved****Our Website

Visit our official website to have a good grasp on NanoMQ MQTT broker and see how it can be applied in current industries.

Test Report

This test report shows how extraordinary and competitive the NanoMQ is in Edge Computing.

Currently the benchmark is for 0.2.5, the updated one with ver 0.3.5 is coming soon

Questions

The Github Discussions provides a place for you to ask questions and share your ideas with users around the world.

Slack

You could join us on Slack. We now share a workspace with the entire EMQ X team. After joining, find your channel!

  • #nanomq: is a channel for general usage, where for asking question or sharing using experience;
  • #nanomq-dev: is a channel for MQTT lover and developer, your great thoughts are what we love to hear;
  • #nanomq-nng: is a channel for guys who are interested in NNG, one of our fabulous dependencies.

Community

Some quotes from NNG’s maintainer — Garrett: I’m very excited about the synergy between the NanoMQ and NNG projects, and grateful for sponsorship that NNG has received from the NanoMQ team. The NanoMQ team has been able to push NNG’s envelope, and the collaboration has already yielded substantial improvements for both projects. Further, the cooperation between these two project will make MQTT and SP (nanomsg) protocols easy to use within a single project as well as other capabilities (such as websockets, HTTPS clients and servers), greatly expanding the toolset within easy reach of the IoT developer. Further this comes without the usual licensing or portability/embeddability challenges that face other projects. Additional planned collaborative work will further expand on these capabilities to the benefit of our shared communities.

Open Source

NanoMQ is fully open-sourced!

License

MIT License

Authors

The EMQ Edge Computing team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907