Headline
Ubuntu Security Notice USN-6501-1
Ubuntu Security Notice 6501-1 - It was discovered that RabbitMQ incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service.
==========================================================================
Ubuntu Security Notice USN-6501-1
November 21, 2023
rabbitmq-server vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
RabbitMQ could be made to denial of service if it received a specially crafted
HTTP request.
Software Description:
- rabbitmq-server: AMQP server written in Erlang
Details:
It was discovered that RabbitMQ incorrectly handled certain HTTP requests.
An attacker could possibly use this issue to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
rabbitmq-server 3.12.1-1ubuntu0.1
Ubuntu 23.04:
rabbitmq-server 3.10.8-1.1ubuntu0.1
Ubuntu 22.04 LTS:
rabbitmq-server 3.9.13-1ubuntu0.22.04.2
Ubuntu 20.04 LTS:
rabbitmq-server 3.8.2-0ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6501-1
CVE-2023-46118
Package Information:
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.12.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.10.8-1.1ubuntu0.1
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.9.13-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.2-0ubuntu1.5
Related news
Red Hat Security Advisory 2024-0217-03 - An update for rabbitmq-server is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5571-1 - It was discovered that missing input sanitising in the HTTP API endpoint of RabbitMQ, an implementation of the AMQP protocol, could result in denial of service.
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.