Software Integrity Blog

 

CyRC Vulnerability Advisory: Denial of service vulnerabilities in RabbitMQ, EMQ X, and VerneMQ

CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message broker applications.

CyRC-analysis.jpg

Overview

The Synopsys Cybersecurity Research Center (CyRC) has exposed denial of service vulnerabilities in three open source message broker applications. Message brokers are used in software systems to enable multiple independent components to reliably and robustly exchange information.

RabbitMQ, EMQ X, and VerneMQ are three open source message brokers. CyRC research uncovered input that causes each message broker to consume large amounts of memory, resulting in the application being terminated by the operating system.

Message brokers use a variety of network protocols to exchange information. One widely used protocol is Message Queuing Telemetry Transport (MQTT). CyRC discovered malformed MQTT messages that cause excessive memory consumption in each of the affected message brokers.

While the failures are all related to handling client input, the failure mechanism is different in each message broker. CyRC found three malformed MQTT messages that cause failure in the three message brokers, but did not find a single message that would cause failure in all three.

Affected software

CVE-2021-22116
RabbitMQ versions 3.8.x prior to 3.8.16

CVE-2021-33175
EMQ X versions prior to 4.2.8

CVE-2021-33176
VerneMQ versions prior to 1.12.0

Impact

CVE-2021-22116
Please refer to VMWare’s advisory for impact details: https://tanzu.vmware.com/security/cve-2021-22116

CVE-2021-33175
CVSS 3.1 base score: 8.6 (high)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C

CVE-2021-33176
CVSS 3.1 base score: 8.6 (high)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C

Remediation

CVE-2021-22116
Upgrade to RabbitMQ version 3.8.16 or later.
https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.16

For release notes related to the fix of CVE-2021-22116, see: https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.15

CVE-2021-33175
Upgrade to EMQ X version 4.2.8 or later.

https://docs.emqx.io/en/broker/v4.2/changes/changes-4.2.html#version-4-2-8

CVE-2021-33176
Upgrade to VerneMQ version 1.12.0 or later.

https://github.com/vernemq/vernemq/releases/tag/1.12.0

Discovery credit

Jonathan Knudsen, a researcher with the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Defensics® fuzz testing tool.

Synopsys would like to commend the RabbitMQ, VerneMQ, and EMQ X teams for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

CVE-2021-22116

  • March 9, 2021: Initial disclosure
  • April 7, 2021: VMWare validates, confirms, and releases a patch for the vulnerability
  • April 9, 2021: Fix from VMWare validated by Jonathan Knudsen
  • May 10, 2021: VMWare publishes advisory for CVE-2021-22116
  • June 8, 2021: Advisory published by Synopsys

CVE-2021-33175

  • March 9, 2021: Initial disclosure
  • March 10, 2021: EMQ X validates, confirms, and releases a fix for the vulnerability
  • March 11, 2021: Fix from EMQ X validated by Jonathan Knudsen
  • May 10, 2021: CVE ID created
  • June 8, 2021: Advisory published by Synopsys

CVE-2021-33176

  • March 9, 2021: Initial disclosure
  • March 10, 2021: VerneMQ validates and confirms the vulnerability
  • May 10, 2021: CVE ID created
  • May 20, 2021: Fix from VerneMQ validated by Jonathan Knudsen
  • May 21, 2021: VerneMQ releases version 1.12.0
  • June 8, 2021: Advisory published by Synopsys

Subscribe to the blog for the latest AppSec news

 

More by this author