CVE-2021-22116

Published: 08 June 2021

RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (3.8.9-2ubuntu0.1)
Ubuntu 20.10 (Groovy Gorilla)
Released (3.8.5-1ubuntu0.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (3.8.2-0ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.10-1ubuntu0.5)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.7-1ubuntu0.16.04.4+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563

Notes

AuthorNote
leosilva
code affected in bionic is in deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_binary_parser.erl
in xenial in plugins-src/rabbitmq-amqp1.0/src/rabbit_amqp1_0_binary_parser.erl.

References