StarlingX

[Debian] High CVE: CVE-2023-46118 rabbitmq-server - denial of service (DoS) attacks

Bug #2045522 reported by Yue Tao on 2023-12-04

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Zhixiong Chi

Bug Description

CVE-2023-46118: https://nvd.nist.gov/vuln/detail/CVE-2023-46118

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

Base Score: High

Reference:

rabbitmq-server_3.8.9-3+deb11u1
https://www.debian.org/security/2023/dsa-5571
https://www.tenable.com/plugins/nessus/186517

Tags:

CVE References

2023-46118

Zhixiong Chi (zhixiongchi) on 2023-12-04

Changed in starlingx:
assignee:	nobody → Zhixiong Chi (zhixiongchi)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-12-06: Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/902738

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-12-18: Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/902738
Committed: https://opendev.org/starlingx/upstream/commit/0dd2eb4ab87ff0b9e3c77f0cfc404f50caf19919
Submitter: "Zuul (22348)"
Branch: master

commit 0dd2eb4ab87ff0b9e3c77f0cfc404f50caf19919
Author: Zhixiong Chi <email address hidden>
Date: Sun Dec 3 21:57:15 2023 -0800

rabbitmq-server: Upgrade to 3.8.9-3+deb11u1

Upgrade rabbitmq-server to 3.8.9-3+deb11u1 to fix the CVE issue:
CVE-2023-46118

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2023-46118
    https://www.debian.org/security/2023/dsa-5571
    https://www.tenable.com/plugins/nessus/186517

    TestPlan:
    PASS: downloader; build-pkgs; build-image
    PASS: Jenkins Installation

Closes-bug: 2045522

Change-Id: Ifccda2e60db6915e10beef14dd3a65b615f4ec45
Signed-off-by: Zhixiong Chi <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.