CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message broker applications
Overview
Synopsys Cybersecurity Research Center (CyRC) research has exposed three separate denial of service vulnerabilities in open source message broker applications. Message brokers are used in software systems to enable multiple independent components to reliably and robustly exchange information.
RabbitMQ, EMQ X, and VerneMQ are three open source message brokers. In each, CyRC research uncovered input that causes the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system.
Message brokers use a variety of network protocols to exchange information. One widely used protocol is Message Queuing Telemetry Transport (MQTT). CyRC discovered malformed MQTT messages that cause excessive memory consumption in each of the affected message brokers.
While the failures are all related to handling client input, the failure mechanism is different from one message broker to another. CyRC found three separate malformed MQTT messages that cause failure in the three separate message brokers, but did not find a single message that would cause failure in all three.
Affected Software
CVE-2021-22116
RabbitMQ version 3.8.x prior to 3.8.16
CVE-2021-33175
EMQ X versions prior to 4.2.8
CVE-2021-33176
VerneMQ versions prior to 1.12.0
Impact
CVE-2021-22116
Please refer to VMWare’s advisory for impact details: https://tanzu.vmware.com/security/cve-2021-22116
CVE-2021-33175
CVSS 3.1 base score: 8.6 (high)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C
CVE-2021-33176
CVSS 3.1 base score: 8.6 (high)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C
Remediation
CVE-2021-22116
Upgrade to RabbitMQ version 3.8.16 or later: https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.16
For release notes related to the fix of CVE-2021-22116, see here: https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.15
CVE-2021-33175
Upgrade to EMQ X version 4.2.8 or later.
https://docs.emqx.io/en/broker/v4.2/changes/changes-4.2.html#version-4-2-8
CVE-2021-33176
Upgrade to VerneMQ version 1.12.0 or later
https://github.com/vernemq/vernemq/releases/tag/1.12.0
Discovery Credit
Jonathan Knudsen, a researcher from the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Defensics® fuzz testing tool.
Synopsys would like to commend the RabbitMQ, VerneMQ, and EMQ X teams for their responsiveness and for addressing these vulnerabilities in a timely manner.
Timeline
CVE-2021-22116
- March 9th, 2021: Initial Disclosure
- April 7th, 2021: VMWare validates, confirms, and releases a patch for the vulnerability
- April 9th, 2021: Fix from VMWare validated by Jonathan Knudsen
- May 10th, 2021: VMWare publishes advisory for CVE-2021-22116
- June 8th, 2021: Advisory published by Synopsys
CVE-2021-33175
- March 9th, 2021: Initial Disclosure
- March 10th, 2021: EMQ X validates, confirms, and releases a fix for the vulnerability
- March 11th, 2021: Fix from EMQ X validated by Jonathan Knudsen
- May 10th, 2021: CVE ID created
- June 8th, 2021: Advisory published by Synopsys
CVE-2021-33176
- March 9th, 2021: Initial Disclosure
- March 10th, 2021: VerneMQ validates and confirms the vulnerability
- May 10th, 2021: CVE ID created
- May 20th, 2021: Fix from VerneMQ validated by Jonathan Knudsen
- May 21st, 2021: VerneMQ releases version 1.12.0
- June 8th, 2021: Advisory published by Synopsys