Bugzilla – Bug 1157665
VUL-0: CVE-2019-11287: rabbitmq-server: DoS via "X-Reason" HTTP Header malicious Erlang format string
Last modified: 2024-05-06 11:52:33 UTC
CVE-2019-11287 Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11287 https://pivotal.io/security/cve-2019-11287
Unclear which commit fixes this issue.
Thanks Gabriele! Reassigning to the security team.
SUSE-SU-2022:3339-1: An update that fixes 6 vulnerabilities, contains two features is now available. Category: security (moderate) Bug References: 1157665,1164139,1191454,1197818,1198398,1201186 CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265 JIRA References: SOC-11662,SOC-8764 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, rubygem-puma-2.16.0-4.18.1 SUSE OpenStack Cloud 9 (src): ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, ardana-cobbler-9.0+git.1660747489.119efcd-3.19.1, ardana-tempest-9.0+git.1651855288.a2341ad-3.22.1, grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, venv-openstack-heat-11.0.4~dev4-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.41.1, venv-openstack-neutron-13.0.8~dev206-6.41.1, venv-openstack-nova-18.3.1~dev92-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3338-1: An update that fixes 7 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1157665,1191454,1193597,1197818,1198398,1201186 CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2021-44716,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265 JIRA References: SOC-11662 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, rubygem-puma-2.16.0-3.18.1 SUSE OpenStack Cloud 8 (src): ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1 HPE Helion Openstack 8 (src): ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.