The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: Denial of service vulnerabilities in RabbitMQ, EMQ X, and VerneMQ

Jonathan Knudsen

Jun 07, 2021 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has exposed denial of service vulnerabilities in three open source message broker applications. Message brokers are used in software systems to enable multiple independent components to reliably and robustly exchange information.

RabbitMQEMQ X, and VerneMQ are three open source message brokers. CyRC research uncovered input that causes each message broker to consume large amounts of memory, resulting in the application being terminated by the operating system.

Message brokers use a variety of network protocols to exchange information. One widely used protocol is Message Queuing Telemetry Transport (MQTT). CyRC discovered malformed MQTT messages that cause excessive memory consumption in each of the affected message brokers.

While the failures are all related to handling client input, the failure mechanism is different in each message broker. CyRC found three malformed MQTT messages that cause failure in the three message brokers, but did not find a single message that would cause failure in all three.

Affected software

CVE-2021-22116
RabbitMQ versions 3.8.x prior to 3.8.16

CVE-2021-33175
EMQ X versions prior to 4.2.8

CVE-2021-33176
VerneMQ versions prior to 1.12.0

Impact

CVE-2021-22116
Please refer to VMWare’s advisory for impact details: https://tanzu.vmware.com/security/cve-2021-22116

CVE-2021-33175
CVSS 3.1 base score: 8.6 (high)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C

CVE-2021-33176
CVSS 3.1 base score: 8.6 (high)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C

Remediation

CVE-2021-22116
Upgrade to RabbitMQ version 3.8.16 or later.
https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.16

For release notes related to the fix of CVE-2021-22116, see: https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.15

CVE-2021-33175
Upgrade to EMQ X version 4.2.8 or later.

https://docs.emqx.io/en/broker/v4.2/changes/changes-4.2.html#version-4-2-8

CVE-2021-33176
Upgrade to VerneMQ version 1.12.0 or later.

https://github.com/vernemq/vernemq/releases/tag/1.12.0

Discovery credit

Jonathan Knudsen, a former researcher with the Synopsys, discovered these vulnerabilities using the Defensics® fuzz testing tool.

Black Duck would like to commend the RabbitMQ, VerneMQ, and EMQ X teams for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

CVE-2021-22116

  • March 9, 2021: Initial disclosure
  • April 7, 2021: VMWare validates, confirms, and releases a patch for the vulnerability
  • April 9, 2021: Fix from VMWare validated by Jonathan Knudsen
  • May 10, 2021: VMWare publishes advisory for CVE-2021-22116
  • June 8, 2021: Advisory published by Black Duck

CVE-2021-33175

  • March 9, 2021: Initial disclosure
  • March 10, 2021: EMQ X validates, confirms, and releases a fix for the vulnerability
  • March 11, 2021: Fix from EMQ X validated by Jonathan Knudsen
  • May 10, 2021: CVE ID created
  • June 8, 2021: Advisory published by Black Duck

CVE-2021-33176

  • March 9, 2021: Initial disclosure
  • March 10, 2021: VerneMQ validates and confirms the vulnerability
  • May 10, 2021: CVE ID created
  • May 20, 2021: Fix from VerneMQ validated by Jonathan Knudsen
  • May 21, 2021: VerneMQ releases version 1.12.0
  • June 8, 2021: Advisory published by Black Duck

Continue Reading

Explore Topics