Bugzilla – Bug 1186203
VUL-0: CVE-2021-22116: rabbitmq-server: improper input validation may lead to DoS
Last modified: 2024-06-19 08:30:25 UTC
CVE-2021-22116 RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled. External Reference: https://tanzu.vmware.com/security/cve-2021-22116 References: https://bugzilla.redhat.com/show_bug.cgi?id=1961638 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22116
According to product page statement the affected packages are: - SUSE:SLE-15-SP2:Update/rabbitmq-server 3.8.3 - SUSE:SLE-15-SP3:Update/rabbitmq-server 3.8.11 - openSUSE:Factory/rabbitmq-server 3.8.16 Since I've not been able to find the actual commit which patches the issue among these 36 [0], I'm not sure if the following packages are affected or not. Peter could you please share your point-of-view? - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rabbitmq-server 3.4.4 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rabbitmq-server 3.6.16 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rabbitmq-server 3.6.16 [0] https://github.com/rabbitmq/rabbitmq-server/compare/v3.8.15...v3.8.16
There is this commit released with version 3.8.15 that I think might be the fix for this CVE. https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563 Gianluca what do you think? Otherwise I'll drop a message to security@rabbitmq.com and ask them directly.
Not sure about that, as you suggested, getting feedback from the upstream would be the best option. Please reach out to them. In the meantime, I found a discussion [0] going on about this topic and I ask for clarification. [0] https://github.com/rabbitmq/rabbitmq-server/discussions/3147#discussioncomment-1032117
I have also sent a message to security@rabbitmq.com but I haven't received a reply yet. 2 weeks have passed since this comment: https://github.com/rabbitmq/rabbitmq-server/discussions/3147#discussioncomment-1032117
If I understand correctly, erlang, elixir and rabbitmq-server were added by jira.suse.com/browse/SLE-10913 and are closed set of packages. What about version update them? IBS:home:pgajdos:maintenance:rabbitmq-server IBS:home:pgajdos:maintenance:elixir https://www.rabbitmq.com/changelog.html says newver erlang should be used as well: IBS:home:pgajdos:maintenance:erlang Not sure this would be journey with the successful end, just to add another view.
I have the update ready for 1187819, 1187818 and 1185075. So fixing this CVE by adding a patch is the least effort, in my opinion. Talking about the update, we could update rabbitmq-server to version 3.8.19 in all codestreams. This version requires erlang 23 so we could also update it from 22.3. I would be against using the newly released erlang 24 because it is too new. However, I am not an erlang expert, so the last statement might be incorrect.
(In reply to Danilo Spinella from comment #9) > I have the update ready for 1187819, 1187818 and 1185075. So fixing this CVE > by adding a patch is the least effort, in my opinion. Sure, the version update is the last option, patches will be of course much much better. From my far distance, I just had got the feeling that the solution depends on upstream reply. I get now this is not mandatory, then there is not a point to do a version update. > Talking about the update, we could update rabbitmq-server to version 3.8.19 > in all codestreams. This version requires erlang 23 so we could also update > it from 22.3. I would be against using the newly released erlang 24 because > it is too new. However, I am not an erlang expert, so the last statement > might be incorrect. I have this feeling, too and there is 23.3.4.4 in IBS:home:pgajdos:maintenance:erlang.
(In reply to Danilo Spinella from comment #5) > There is this commit released with version 3.8.15 that I think might be the > fix for this CVE. > > https://github.com/rabbitmq/rabbitmq-server/commit/ > 626d5219115d087a2695c0eb243c7ddb7e154563 > > Gianluca what do you think? Otherwise I'll drop a message to > security@rabbitmq.com and ask them directly. Ciao Danilo, I got a confirmation from the researcher, and the fix was merged with PR#2953 [0] as you foresaw. Please proceed to backport it. Thanks [0] https://github.com/rabbitmq/rabbitmq-server/pull/2953
SUSE-SU-2021:3254-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): rabbitmq-server-3.8.3-3.3.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1334-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: openSUSE Leap 15.2 (src): rabbitmq-server-3.8.3-lp152.2.3.1
openSUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: openSUSE Leap 15.3 (src): rabbitmq-server-3.8.11-3.3.3
SUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): rabbitmq-server-3.8.11-3.3.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Hi cloud team, please submit for the following packages: - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rabbitmq-server 3.4.4 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rabbitmq-server 3.6.16 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rabbitmq-server 3.6.16
based on comment #18, SOC is not impacted. Back to Security team.
SUSE-FU-2024:2078-1: An update that solves five vulnerabilities, contains one feature and has five fixes can now be installed. Category: feature (important) Bug References: 1181400, 1185075, 1186203, 1187818, 1187819, 1199431, 1205267, 1216582, 1219532, 1222591 CVE References: CVE-2021-22116, CVE-2021-32718, CVE-2021-32719, CVE-2022-31008, CVE-2023-46118 Jira References: PED-8414 Maintenance Incident: [SUSE:Maintenance:34194](https://smelt.suse.de/incident/34194/) Sources used: openSUSE Leap 15.3 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1 openSUSE Leap 15.6 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3 Server Applications Module 15-SP6 (src): erlang26-26.2.1-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3, elixir115-1.15.7-150300.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.