The Synopsys Cybersecurity Research Center (CyRC) has exposed three separate denial of service vulnerabilities in open source message broker applications. Message brokers are used in software systems to enable multiple independent components to reliably and robustly exchange information. RabbitMQ, EMQ X, and VerneMQ are three open source message brokers. In each, CyRC research uncovered input that causes the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system.
Message brokers use a variety of network protocols to exchange information. One widely used protocol is Message Queuing Telemetry Transport (MQTT). CyRC discovered malformed MQTT messages that cause excessive memory consumption in each of the affected message brokers. While the failures are all related to handling client input, the failure mechanism is different from one message broker to another. CyRC found three separate malformed MQTT messages that cause failure in the three separate message brokers, but did not find a single message that would cause failure in all three.
Jonathan Knudsen, senior security strategist at Synopsys, and the researcher who discovered the vulnerabilities, commented “Message brokers are software applications that serve as a messaging hub for complex systems. They provide reliable communication channels between different components, serving as the nerve center of a complex system. As such, message brokers can also be a central point of failure. If the message broker dies, system components won’t be able to communicate. CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message brokers. They give attackers the opportunity to disable the message brokers, a denial-of-service attack that could have serious consequences.
“Open source message brokers, like other open source components, offer amazing functionality, but must be managed properly. When new vulnerabilities are discovered, the organisation must make sure to update open source components to versions in which known vulnerabilities are fixed. Software Composition Analysis (SCA) tools automate much of this work and can automatically notify development or operations teams when new vulnerabilities are discovered in any used open source components.”
Further information on the vulnerability disclosure can be found here.