CVE-2023-46118 in RabbitMQ
Summary
by MITRE • 10/25/2023
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/14/2024
RabbitMQ serves as a critical messaging infrastructure component supporting multiple protocols for asynchronous communication in distributed systems. The HTTP API interface provides programmatic access to broker functionality, enabling management and message publishing operations through standard web protocols. This vulnerability specifically targets the HTTP API endpoint's handling of message payloads, creating a significant security risk that affects the overall system stability and availability. The flaw exists in how the messaging broker processes incoming HTTP requests, particularly concerning the size limitations imposed on request bodies.
The technical implementation flaw stems from the absence of proper request body size validation within the HTTP API processing pipeline. When an authenticated user submits a message through the HTTP API, the system fails to enforce reasonable limits on the payload size before attempting to process and store the message. This omission allows malicious or compromised actors to craft exceptionally large HTTP request bodies that can overwhelm the target system's memory resources. The vulnerability operates at the application layer, specifically affecting the message ingestion and processing components that handle HTTP protocol interactions. The lack of input sanitization and size enforcement creates a direct pathway for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system compromise and data integrity concerns. An authenticated attacker with sufficient privileges can leverage this flaw to execute denial of service attacks that may result in complete system termination through kernel-level memory management mechanisms such as the out-of-memory killer. This scenario represents a severe degradation of service availability, potentially affecting critical business operations that depend on message queuing infrastructure. The vulnerability affects not only individual node stability but also the broader messaging topology, as node failures can cascade through interconnected systems. Organizations relying on RabbitMQ for mission-critical messaging may experience significant downtime and operational disruption.
Security mitigations for this vulnerability involve immediate deployment of patched versions 3.11.24 and 3.12.7, which implement proper HTTP request body size limiting mechanisms. System administrators should also consider implementing additional protective measures including rate limiting, network-level controls, and monitoring for unusual request patterns. The vulnerability aligns with CWE-770, which addresses allocation of resources without proper limits or throttling, and maps to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should review their access control policies to ensure that only necessary users have HTTP API credentials, reducing the attack surface. Additionally, implementing automated monitoring for large payload submissions and establishing incident response procedures for memory exhaustion events will enhance overall system resilience against similar threats.