Support Content Notification - Support Portal

CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflow

Product/Component

Notification Id

23833

Last Updated

22 November 2019

Initial Publication Date

22 November 2019

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2019-11287

Severity

Medium

Vendor

Pivotal

Description

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack.
The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

RabbitMQ
- 3.7 versions prior to v3.7.21
- 3.8 versions prior to v3.8.1
RabbitMQ for Pivotal Platform
- 1.16 versions prior to 1.16.7
- 1.17 versions prior to 1.17.4

Mitigation

RabbitMQ
- v3.7.21
- v3.8.1
RabbitMQ for Pivotal Platform
- 1.16.7
- 1.17.4

Credit

This issue was responsibly reported by Matei "Mal" Badanoiu.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11287

History

2019-11-22: Initial vulnerability report published.