Bug 1216583 (CVE-2023-46120) - VUL-0: CVE-2023-46120: rabbitmq-java-client: maxBodyLebgth was not used when receiving Message objects
Summary: VUL-0: CVE-2023-46120: rabbitmq-java-client: maxBodyLebgth was not used when ...
Status: NEW
Alias: CVE-2023-46120
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382974/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-26 05:21 UTC by SMASH SMASH
Modified: 2024-03-05 09:19 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-26 05:21:05 UTC 
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects.  Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46120
Comment 1 Alexander Bergmann 2023-10-26 05:38:32 UTC 
We are on version 3.5.0, also on Factory. 

- openSUSE:Backports:SLE-15-SP4
- openSUSE:Backports:SLE-15-SP5
- openSUSE:Backports:SLE-15-SP6

The code evolved over the time and the available patch is not directly applicable. From what I see in old code has no `maxBodyLebgth` protection.
Comment 2 Fridrich Strba 2024-03-05 09:19:57 UTC 
Factory has been upgraded to 5.20.0. Not sure how the backports fetch that. But from our side, it is fixed. I only submitted a change in *changes file to mention this bug and CVE.