On 11/27/23 09:14, Thomas Goirand wrote:
On 11/25/23 13:41, Salvatore Bonaccorso wrote:
Source: rabbitmq-server
Version: 3.10.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rabbitmq/rabbitmq-server/pull/9708
X-Debbugs-Cc: car...@debian.org, Debian Security Team
<t...@security.debian.org>
Hi,
The following vulnerability was published for rabbitmq-server.
CVE-2023-46118[0]:
| RabbitMQ is a multi-protocol messaging and streaming broker. HTTP
| API did not enforce an HTTP request body limit, making it vulnerable
| for denial of service (DoS) attacks with very large messages. An
| authenticated user with sufficient credentials can publish a very
| large messages over the HTTP API and cause target node to be
| terminated by an "out-of-memory killer"-like mechanism. This
| vulnerability has been patched in versions 3.11.24 and 3.12.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Hi,
Please find the attached debdiff to fix Bookworm. I'd very much would
like to upload it to bookworm-security, if the security team agrees, as
anyone with a rabbitmq-server exposed to internet will be vulnerable to
the DOS.
Note that I've uploaded 3.10.8-3 to unstable also fixing this CVE.
Please let me know if you also feel like a DSA should be published, or
if you feel like I should deal with the stable release team,
Cheers,
Thomas Goirand (zigo)
Please also find the Bullseye debdiff attached to this message.
Cheers,
Thomas Goirand (zigo)
diff -Nru rabbitmq-server-3.8.9/debian/changelog
rabbitmq-server-3.8.9/debian/changelog
--- rabbitmq-server-3.8.9/debian/changelog 2021-04-10 22:59:57.000000000
+0200
+++ rabbitmq-server-3.8.9/debian/changelog 2023-11-27 09:21:56.000000000
+0100
@@ -1,3 +1,13 @@
+rabbitmq-server (3.8.9-3+deb11u1) bullseye-security; urgency=medium
+
+ * CVE-2023-46118: Denial of Service by publishing large messages over the
+ HTTP API. Applied upstream patches that introduce a limit of 10MB:
+ - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
+ - Introduce_HTTP_request_body_limit_for_definition_uploads.patch
+ (Closes: #1056723).
+
+ -- Thomas Goirand <z...@debian.org> Mon, 27 Nov 2023 09:21:56 +0100
+
rabbitmq-server (3.8.9-3) unstable; urgency=medium
[ Adam Cecile ]
diff -Nru
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_1_Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_1_Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
---
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_1_Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
1970-01-01 01:00:00.000000000 +0100
+++
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_1_Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
2023-11-27 09:21:56.000000000 +0100
@@ -0,0 +1,52 @@
+Subject: CVE-2023-46118 (1/2): Reduce default HTTP API request body size limit
to 10 MiB
+ per discussion with the team.
+ .
+ It should be enough to accomodate a definition file with about
+ 100K queues.
+Author: Michael Klishin <klish...@vmware.com>
+Date: Mon, 16 Oct 2023 06:48:23 -0400
+Bug-Debian: https://bugs.debian.org/1056723
+Origin: upstream,
https://github.com/rabbitmq/rabbitmq-server/pull/9708/commits/c6d0382be4d9b6f4d0ab9466b397e353adfa92e0
+Last-Update: 2023-11-27
+
+Index: rabbitmq-server/deps/rabbitmq_management/Makefile
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/Makefile
++++ rabbitmq-server/deps/rabbitmq_management/Makefile
+@@ -12,7 +12,8 @@ define PROJECT_ENV
+
+ {cors_allow_origins, []},
+ {cors_max_age, 1800},
+- {content_security_policy, "script-src 'self' 'unsafe-eval'
'unsafe-inline'; object-src 'self'"}
++ {content_security_policy, "script-src 'self' 'unsafe-eval'
'unsafe-inline'; object-src 'self'"},
++ {max_http_body_size, 10000000}
+ ]
+ endef
+
+Index:
rabbitmq-server/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+===================================================================
+---
rabbitmq-server.orig/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
++++
rabbitmq-server/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+@@ -20,6 +20,22 @@
+ {mapping, "management.http_log_dir", "rabbitmq_management.http_log_dir",
+ [{datatype, string}]}.
+
++%% Max HTTP body limit
++{mapping, "management.http.max_body_size",
"rabbitmq_management.max_http_body_size",
++ [{datatype, integer}, {validators, ["non_negative_integer"]}]}.
++{translation, "rabbitmq_management.max_http_body_size",
++fun(Conf) ->
++ case cuttlefish:conf_get("management.http.max_body_size", Conf,
undefined) of
++ %% 20 MiB allows for about 200K queues across a small (single digit)
number of virtual hosts with
++ %% 10 MiB allows for about 100K queues with short names across a
small (single digit) number of virtual hosts with
++ %% an equally small number of users. MK.
++ undefined -> 10000000;
++ Val when is_integer(Val) -> Val;
++ Other ->
cuttlefish:invalid("management.http.max_body_size must be set to a positive
integer")
++ end
++end}.
++
++
+ %% HTTP (TCP) listener options
========================================================
+
+ %% HTTP listener consistent with Web STOMP and Web MQTT.
diff -Nru
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_2_Introduce_HTTP_request_body_limit_for_definition_uploads.patch
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_2_Introduce_HTTP_request_body_limit_for_definition_uploads.patch
---
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_2_Introduce_HTTP_request_body_limit_for_definition_uploads.patch
1970-01-01 01:00:00.000000000 +0100
+++
rabbitmq-server-3.8.9/debian/patches/CVE-2023-46118_2_Introduce_HTTP_request_body_limit_for_definition_uploads.patch
2023-11-27 09:21:56.000000000 +0100
@@ -0,0 +1,109 @@
+Description: CVE-2023-46118 (2/2): Introduce HTTP request body limit for
definition uploads
+ The default is 20 MiB, which is enough to upload
+ a definition file with 200K queues, a few virtual host
+ and a few users. In other words, it should accomodate
+ a lot of environments.
+Author: Michael Klishin <klish...@vmware.com>
+Date: Sat, 14 Oct 2023 06:11:01 -0400
+Bug-Debian: https://bugs.debian.org/1056723
+Origin: upstream,
https://github.com/rabbitmq/rabbitmq-server/commit/b7b3514bb1f71cdad552ba712f683b4d427c4aec
+Last-Update: 2023-11-27
+
+Index: rabbitmq-server/deps/rabbitmq_management/include/rabbit_mgmt.hrl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/include/rabbit_mgmt.hrl
++++ rabbitmq-server/deps/rabbitmq_management/include/rabbit_mgmt.hrl
+@@ -6,3 +6,5 @@
+ %%
+
+ -define(AUTH_REALM, "Basic realm=\"RabbitMQ Management\"").
++
++-define(MANAGEMENT_DEFAULT_HTTP_MAX_BODY_SIZE, 10000000).
+Index:
rabbitmq-server/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+===================================================================
+---
rabbitmq-server.orig/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
++++
rabbitmq-server/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+@@ -36,6 +36,23 @@ fun(Conf) ->
+ end}.
+
+
++%% Max HTTP body limit
++
++{mapping, "management.http.max_body_size",
"rabbitmq_management.max_http_body_size",
++ [{datatype, integer}, {validators, ["non_negative_integer"]}]}.
++
++{translation, "rabbitmq_management.max_http_body_size",
++fun(Conf) ->
++ case cuttlefish:conf_get("management.http.max_body_size", Conf,
undefined) of
++ %% 20 MiB allows for about 200K queues across a small (single digit)
number of virtual hosts with
++ %% an equally small number of users. MK.
++ undefined -> 20000000;
++ Val when is_integer(Val) -> Val;
++ Other ->
cuttlefish:invalid("management.http.max_body_size must be set to a positive
integer")
++ end
++end}.
++
++
+ %% HTTP (TCP) listener options
========================================================
+
+ %% HTTP listener consistent with Web STOMP and Web MQTT.
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+@@ -772,15 +772,27 @@ id0(Key, ReqData) ->
+
+ read_complete_body(Req) ->
+ read_complete_body(Req, <<"">>).
+-read_complete_body(Req0, Acc) ->
+- case cowboy_req:read_body(Req0) of
+- {ok, Data, Req} -> {ok, <<Acc/binary, Data/binary>>, Req};
+- {more, Data, Req} -> read_complete_body(Req, <<Acc/binary,
Data/binary>>)
++read_complete_body(Req, Acc) ->
++ BodySizeLimit = application:get_env(rabbitmq_management,
max_http_body_size, ?MANAGEMENT_DEFAULT_HTTP_MAX_BODY_SIZE),
++ read_complete_body(Req, Acc, BodySizeLimit).
++read_complete_body(Req0, Acc, BodySizeLimit) ->
++ case bit_size(Acc) > BodySizeLimit of
++ true ->
++ {error, "Exceeded HTTP request body size limit"};
++ false ->
++ case cowboy_req:read_body(Req0) of
++ {ok, Data, Req} -> {ok, <<Acc/binary, Data/binary>>, Req};
++ {more, Data, Req} -> read_complete_body(Req, <<Acc/binary,
Data/binary>>)
++ end
+ end.
+
+ with_decode(Keys, ReqData, Context, Fun) ->
+- {ok, Body, ReqData1} = read_complete_body(ReqData),
+- with_decode(Keys, Body, ReqData1, Context, Fun).
++ case read_complete_body(ReqData) of
++ {error, Reason} ->
++ bad_request(Reason, ReqData, Context);
++ {ok, Body, ReqData1} ->
++ with_decode(Keys, Body, ReqData1, Context, Fun)
++ end.
+
+ with_decode(Keys, Body, ReqData, Context, Fun) ->
+ case decode(Keys, Body) of
+Index:
rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_definitions.erl
+===================================================================
+---
rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_definitions.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_definitions.erl
+@@ -86,8 +86,15 @@ all_definitions(ReqData, Context) ->
+ Context).
+
+ accept_json(ReqData0, Context) ->
+- {ok, Body, ReqData} = rabbit_mgmt_util:read_complete_body(ReqData0),
+- accept(Body, ReqData, Context).
++ case rabbit_mgmt_util:read_complete_body(ReqData0) of
++ {error, Reason} ->
++ BodySizeLimit = application:get_env(rabbitmq_management,
max_http_body_size, ?MANAGEMENT_DEFAULT_HTTP_MAX_BODY_SIZE),
++ _ = rabbit_log:warning("HTTP API: uploaded definition file
exceeded the maximum request body limit of ~p bytes. "
++ "Use the 'management.http.max_body_size'
key in rabbitmq.conf to increase the limit if necessary", [BodySizeLimit]),
++ rabbit_mgmt_util:bad_request(Reason, ReqData0, Context);
++ {ok, Body, ReqData} ->
++ accept(Body, ReqData, Context)
++ end.
+
+ vhost_definitions(ReqData, VHost, Context) ->
+ %% rabbit_mgmt_wm_<>:basic/1 filters by VHost if it is available
diff -Nru rabbitmq-server-3.8.9/debian/patches/series
rabbitmq-server-3.8.9/debian/patches/series
--- rabbitmq-server-3.8.9/debian/patches/series 2021-04-10 22:59:57.000000000
+0200
+++ rabbitmq-server-3.8.9/debian/patches/series 2023-11-27 09:21:56.000000000
+0100
@@ -1,3 +1,5 @@
lets-use-python3-not-python-binary.patch
rabbitmq-dist.mk.patch
Upstream_PR2965_fixing_rabbitmqctl_parsing
+CVE-2023-46118_1_Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
+CVE-2023-46118_2_Introduce_HTTP_request_body_limit_for_definition_uploads.patch