PublicDateAtUSN: 2021-06-08 12:15:00 UTC
Candidate: CVE-2021-22116
PublicDate: 2021-06-08 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22116
 https://tanzu.vmware.com/security/cve-2021-22116
 https://github.com/rabbitmq/rabbitmq-server/pull/2953
 https://ubuntu.com/security/notices/USN-5004-1
Description:
 RabbitMQ all versions prior to 3.8.16 are prone to a denial of service
 vulnerability due to improper input validation in AMQP 1.0 client
 connection endpoint. A malicious user can exploit the vulnerability by
 sending malicious AMQP messages to the target RabbitMQ instance having the
 AMQP 1.0 plugin enabled.
Ubuntu-Description:
Notes:
 leosilva> code affected in bionic is in deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_binary_parser.erl
 leosilva> in xenial in plugins-src/rabbitmq-amqp1.0/src/rabbit_amqp1_0_binary_parser.erl.
Mitigation:
Bugs:
Priority: medium
Discovered-by: Jonathan Knudsen
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_rabbitmq-server:
 upstream: https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563
upstream_rabbitmq-server: needs-triage
precise/esm_rabbitmq-server: DNE
trusty_rabbitmq-server: ignored (out of standard support)
trusty/esm_rabbitmq-server: DNE
xenial_rabbitmq-server: ignored (out of standard support)
esm-infra/xenial_rabbitmq-server: released (3.5.7-1ubuntu0.16.04.4+esm1)
bionic_rabbitmq-server: released (3.6.10-1ubuntu0.5)
focal_rabbitmq-server: released (3.8.2-0ubuntu1.3)
groovy_rabbitmq-server: released (3.8.5-1ubuntu0.2)
hirsute_rabbitmq-server: released (3.8.9-2ubuntu0.1)
impish_rabbitmq-server: released (3.8.9-3ubuntu1)
jammy_rabbitmq-server: released (3.8.9-3ubuntu1)
devel_rabbitmq-server: released (3.8.9-3ubuntu1)