The Synopsys Cybersecurity Research Center (CyRC) has exposed denial of service vulnerabilities in three open source message broker applications. Message brokers are used in software systems to enable multiple independent components to reliably and robustly exchange information.
RabbitMQ, EMQ X, and VerneMQ are three open source message brokers. CyRC research uncovered input that causes each message broker to consume large amounts of memory, resulting in the application being terminated by the operating system.
Message brokers use a variety of network protocols to exchange information. One widely used protocol is Message Queuing Telemetry Transport (MQTT). CyRC discovered malformed MQTT messages that cause excessive memory consumption in each of the affected message brokers.
While the failures are all related to handling client input, the failure mechanism is different in each message broker. CyRC found three malformed MQTT messages that cause failure in the three message brokers, but did not find a single message that would cause failure in all three.