Bug 1216582 (CVE-2023-46118) - VUL-0: CVE-2023-46118: rabbitmq-server: HTTP API did not enforce an HTTP request body limit
Summary: VUL-0: CVE-2023-46118: rabbitmq-server: HTTP API did not enforce an HTTP requ...
Status: RESOLVED FIXED
Alias: CVE-2023-46118
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382972/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46118:4.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-26 05:16 UTC by SMASH SMASH
Modified: 2024-06-19 08:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-26 05:16:19 UTC 
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46118
Comment 8 Maintenance Automation 2023-12-20 20:30:02 UTC 
SUSE-SU-2023:4939-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216582
CVE References: CVE-2023-46118
Sources used:
openSUSE Leap 15.3 (src): rabbitmq-server-3.8.11-150300.3.14.1
openSUSE Leap 15.4 (src): rabbitmq-server-3.8.11-150300.3.14.1
openSUSE Leap 15.5 (src): rabbitmq-server-3.8.11-150300.3.14.1
Server Applications Module 15-SP4 (src): rabbitmq-server-3.8.11-150300.3.14.1
Server Applications Module 15-SP5 (src): rabbitmq-server-3.8.11-150300.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-06-19 08:30:25 UTC 
SUSE-FU-2024:2078-1: An update that solves five vulnerabilities, contains one feature and has five fixes can now be installed.

Category: feature (important)
Bug References: 1181400, 1185075, 1186203, 1187818, 1187819, 1199431, 1205267, 1216582, 1219532, 1222591
CVE References: CVE-2021-22116, CVE-2021-32718, CVE-2021-32719, CVE-2022-31008, CVE-2023-46118
Jira References: PED-8414
Maintenance Incident: [SUSE:Maintenance:34194](https://smelt.suse.de/incident/34194/)
Sources used:
openSUSE Leap 15.3 (src):
 erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1
openSUSE Leap 15.6 (src):
 erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3
Server Applications Module 15-SP6 (src):
 erlang26-26.2.1-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3, elixir115-1.15.7-150300.7.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.