Bug 1216583 (CVE-2023-46120)

Summary: VUL-0: CVE-2023-46120: rabbitmq-java-client: maxBodyLebgth was not used when receiving Message objects
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382974/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-26 05:21:05 UTC 
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects.  Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46120
Comment 1 Alexander Bergmann 2023-10-26 05:38:32 UTC 
We are on version 3.5.0, also on Factory. 

- openSUSE:Backports:SLE-15-SP4
- openSUSE:Backports:SLE-15-SP5
- openSUSE:Backports:SLE-15-SP6

The code evolved over the time and the available patch is not directly applicable. From what I see in old code has no `maxBodyLebgth` protection.
Comment 2 Fridrich Strba 2024-03-05 09:19:57 UTC 
Factory has been upgraded to 5.20.0. Not sure how the backports fetch that. But from our side, it is fixed. I only submitted a change in *changes file to mention this bug and CVE.