Bug 1186203 (CVE-2021-22116)

Summary: VUL-0: CVE-2021-22116: rabbitmq-server: improper input validation may lead to DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: calmeidadeoliveira, doreilly, kstreitova, peter.simons, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/284550/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-22116:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-05-18 12:24:20 UTC
CVE-2021-22116

RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

External Reference:

https://tanzu.vmware.com/security/cve-2021-22116

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1961638
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22116
Comment 1 Gianluca Gabrielli 2021-05-18 12:28:20 UTC
According to product page statement the affected packages are:

 - SUSE:SLE-15-SP2:Update/rabbitmq-server  3.8.3
 - SUSE:SLE-15-SP3:Update/rabbitmq-server  3.8.11
 - openSUSE:Factory/rabbitmq-server        3.8.16

Since I've not been able to find the actual commit which patches the issue among these 36 [0], I'm not sure if the following packages are affected or not.
Peter could you please share your point-of-view?

 - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rabbitmq-server   3.4.4
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rabbitmq-server   3.6.16
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rabbitmq-server   3.6.16

[0] https://github.com/rabbitmq/rabbitmq-server/compare/v3.8.15...v3.8.16
Comment 5 Danilo Spinella 2021-07-14 15:32:41 UTC
There is this commit released with version 3.8.15 that I think might be the fix for this CVE.

 https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563

Gianluca what do you think? Otherwise I'll drop a message to security@rabbitmq.com and ask them directly.
Comment 6 Gianluca Gabrielli 2021-07-21 11:50:11 UTC
Not sure about that, as you suggested, getting feedback from the upstream would be the best option. Please reach out to them. In the meantime, I found a discussion [0] going on about this topic and I ask for clarification.

[0] https://github.com/rabbitmq/rabbitmq-server/discussions/3147#discussioncomment-1032117
Comment 7 Danilo Spinella 2021-08-03 13:43:49 UTC
I have also sent a message to security@rabbitmq.com but I haven't received a reply yet. 2 weeks have passed since this comment: https://github.com/rabbitmq/rabbitmq-server/discussions/3147#discussioncomment-1032117
Comment 8 Petr Gajdos 2021-08-25 15:04:22 UTC
If I understand correctly, erlang, elixir and rabbitmq-server were added by jira.suse.com/browse/SLE-10913 and are closed set of packages. What about version update them?

IBS:home:pgajdos:maintenance:rabbitmq-server
IBS:home:pgajdos:maintenance:elixir

https://www.rabbitmq.com/changelog.html
says newver erlang should be used as well:
IBS:home:pgajdos:maintenance:erlang

Not sure this would be journey with the successful end, just to add another view.
Comment 9 Danilo Spinella 2021-08-25 15:50:29 UTC
I have the update ready for 1187819, 1187818 and 1185075. So fixing this CVE by adding a patch is the least effort, in my opinion.

Talking about the update, we could update rabbitmq-server to version 3.8.19 in all codestreams. This version requires erlang 23 so we could also update it from 22.3. I would be against using the newly released erlang 24 because it is too new. However, I am not an erlang expert, so the last statement might be incorrect.
Comment 10 Petr Gajdos 2021-08-26 06:50:07 UTC
(In reply to Danilo Spinella from comment #9)
> I have the update ready for 1187819, 1187818 and 1185075. So fixing this CVE
> by adding a patch is the least effort, in my opinion.

Sure, the version update is the last option, patches will be of course much much better. From my far distance, I just had got the feeling that the solution depends on upstream reply. I get now this is not mandatory, then there is not a point to do a version update.

> Talking about the update, we could update rabbitmq-server to version 3.8.19
> in all codestreams. This version requires erlang 23 so we could also update
> it from 22.3. I would be against using the newly released erlang 24 because
> it is too new. However, I am not an erlang expert, so the last statement
> might be incorrect.

I have this feeling, too and there is 23.3.4.4 in IBS:home:pgajdos:maintenance:erlang.
Comment 11 Gianluca Gabrielli 2021-08-26 10:27:24 UTC
(In reply to Danilo Spinella from comment #5)
> There is this commit released with version 3.8.15 that I think might be the
> fix for this CVE.
> 
>  https://github.com/rabbitmq/rabbitmq-server/commit/
> 626d5219115d087a2695c0eb243c7ddb7e154563
> 
> Gianluca what do you think? Otherwise I'll drop a message to
> security@rabbitmq.com and ask them directly.

Ciao Danilo,

I got a confirmation from the researcher, and the fix was merged with PR#2953 [0] as you foresaw. Please proceed to backport it. Thanks

[0] https://github.com/rabbitmq/rabbitmq-server/pull/2953
Comment 13 Swamp Workflow Management 2021-09-29 19:17:52 UTC
SUSE-SU-2021:3254-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185075,1186203,1187818,1187819
CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    rabbitmq-server-3.8.3-3.3.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-10-04 19:21:34 UTC
openSUSE-SU-2021:1334-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185075,1186203,1187818,1187819
CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rabbitmq-server-3.8.3-lp152.2.3.1
Comment 15 Swamp Workflow Management 2021-10-09 22:16:40 UTC
openSUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185075,1186203,1187818,1187819
CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rabbitmq-server-3.8.11-3.3.3
Comment 16 Swamp Workflow Management 2021-10-09 22:18:17 UTC
SUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185075,1186203,1187818,1187819
CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    rabbitmq-server-3.8.11-3.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Gianluca Gabrielli 2021-11-30 14:30:23 UTC
Hi cloud team,

please submit for the following packages:
 - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rabbitmq-server   3.4.4
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rabbitmq-server   3.6.16
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rabbitmq-server   3.6.16
Comment 19 Christian Almeida de Oliveira 2022-02-11 15:24:56 UTC
based on comment #18, SOC is not impacted. Back to Security team.