Sign-up

ID

VAR-201911-1657


CVE

CVE-2019-11287


TITLE

Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-012564

DESCRIPTION

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ========================================================================== Ubuntu Security Notice USN-5004-1 June 24, 2021 rabbitmq-server vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in rabbitmq-server. Software Description: - rabbitmq-server: AMQP server written in Erlang Details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2019-11287) Jonathan Knudsen discovered RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-22116) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: rabbitmq-server 3.8.9-2ubuntu0.1 Ubuntu 20.10: rabbitmq-server 3.8.5-1ubuntu0.2 Ubuntu 20.04 LTS: rabbitmq-server 3.8.2-0ubuntu1.3 Ubuntu 18.04 LTS: rabbitmq-server 3.6.10-1ubuntu0.5 Ubuntu 16.04 ESM: rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rabbitmq-server security update Advisory ID: RHSA-2020:0078-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0078 Issue date: 2020-01-13 CVE Names: CVE-2019-11287 ===================================================================== 1. Summary: An update for rabbitmq-server is now available for Red Hat OpenStack Platform 15 (Stein). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 15.0 - ppc64le, x86_64 3. Description: RabbitMQ is an implementation of AMQP, the emerging standard for high performance enterprise messaging. The RabbitMQ server is a robust and scalable implementation of an AMQP broker. Security Fix(es): * "X-Reason" HTTP Header can be leveraged to insert a malicious string leading to DoS (CVE-2019-11287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat OpenStack Platform 15.0: Source: rabbitmq-server-3.7.22-1.el8ost.src.rpm ppc64le: rabbitmq-server-3.7.22-1.el8ost.ppc64le.rpm x86_64: rabbitmq-server-3.7.22-1.el8ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11287 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXhxCd9zjgjWX9erEAQhcJhAAkFi7Cpsx7AQav3E+LgCF0GblFmJWFP3L qg5F2/2FFdd1fFfHN3FvT9km571u1Hm9oPjKe4g2SgkrOmsP+mEsqD6nXHg1vHGw yOZ4GSGO0bde/Zj5USrmxFIwZcmbl5MzIrCqtx9fNPQPZzI4Hk8qmpINvc6wBZFs aZafHly3mPvxP28rAnEtkjUCEzRuXnovQDrCW8sfNCT1Vhayg+A0cS2iM8rHak25 SNlac9rq3dVkw1wWdgeVmNwu1bCcKopXLYrwVC70esX9fZxnCtPB0iTjy3g4qvxV xfcdsLLQOAYQZdBDtn1M+1GjjG7NLqcP6jD8ySBM+uNwyNiH20LpXmMO9ShysM31 BrYG+aNJyb8AmrMtNF/MijJqv1SYakhHANK0OsdkgGokZWss7yhe7qOpZVU83z41 owwpUrSsBO2xRb85nzo7AcoI0na/f965KyQjt7P1stMiTaXd84VucWlNcEH+I4ox 0zbC4AWgKTbvnMNA2WDSPpx2fkcBS3PdjBi/1MqGES6srz+4oH8MunlqojqKjK9j /YkttwQD78cswQPm1LBaZNaFpqtFnFnAjN18E+phb2Y01hTCvwqVj05fp+eDNQM+ N20HEjc8EDWAmyOGqripUnQ+rRBuPSfkU686szcZwrHFqrz/sh8h0qFRca/Za+4v qUGcuX2aS7Q= =/zG9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.8

sources: NVD: CVE-2019-11287 // JVNDB: JVNDB-2019-012564 // PACKETSTORM: 163278 // PACKETSTORM: 155914

AFFECTED PRODUCTS

vendor:pivotalmodel:rabbitmqscope:ltversion:1.16.7

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:gteversion:1.17.0

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:ltversion:1.17.4

Trust: 1.0

vendor:broadcommodel:rabbitmq serverscope:ltversion:3.8.1

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:broadcommodel:rabbitmq serverscope:gteversion:3.8.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:30

Trust: 1.0

vendor:redhatmodel:openstackscope:eqversion:15

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:gteversion:1.16.0

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:ltversion:3.7.21

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:31

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:gteversion:3.7.0

Trust: 1.0

vendor:pivotalmodel:rabbitmqscope:ltversion:3.7

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:eqversion:3.8.1

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:ltversion:1.17.x

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:ltversion:1.16.x

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:eqversion:3.7.21

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:eqversion:for pivotal platform 1.16.7

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:eqversion:for pivotal platform 1.17.4

Trust: 0.8

vendor:pivotalmodel:rabbitmqscope:ltversion:3.8

Trust: 0.8

sources: JVNDB: JVNDB-2019-012564 // NVD: CVE-2019-11287

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11287
value: HIGH

Trust: 1.0

security@pivotal.io: CVE-2019-11287
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-11287
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201911-1307
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-11287
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-11287
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

security@pivotal.io: CVE-2019-11287
baseSeverity: MEDIUM
baseScore: 4.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: CVE-2019-11287
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-012564 // CNNVD: CNNVD-201911-1307 // NVD: CVE-2019-11287 // NVD: CVE-2019-11287

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.8

problemtype:CWE-134

Trust: 1.0

sources: JVNDB: JVNDB-2019-012564 // NVD: CVE-2019-11287

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-1307

TYPE

format string error

Trust: 0.6

sources: CNNVD: CNNVD-201911-1307

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012564

PATCH
title:CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflowurl:https://pivotal.io/security/cve-2019-11287
Trust: 0.8
title:Pivotal Software RabbitMQ Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=104058
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-012564 // 
            
            
            
            CNNVD: CNNVD-201911-1307

EXTERNAL IDS
db:NVDid:CVE-2019-11287
Trust: 2.6
db:JVNDBid:JVNDB-2019-012564
Trust: 0.8
db:PACKETSTORMid:163278
Trust: 0.7
db:PACKETSTORMid:155914
Trust: 0.7
db:AUSCERTid:ESB-2020.0135
Trust: 0.6
db:AUSCERTid:ESB-2021.2233
Trust: 0.6
db:AUSCERTid:ESB-2021.2432
Trust: 0.6
db:CNNVDid:CNNVD-201911-1307
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-012564 // 
            
            
            
            PACKETSTORM: 163278 // 
            
            
            
            PACKETSTORM: 155914 // 
            
            
            
            CNNVD: CNNVD-201911-1307 // 
            
            
            
            NVD: CVE-2019-11287

REFERENCES
url:https://access.redhat.com/errata/rhsa-2020:0078
Trust: 2.3
url:https://pivotal.io/security/cve-2019-11287
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2019-11287
Trust: 1.6
url:https://github.com/drunkenshells/disclosures/tree/master/cve-2019-11287-dos%20via%20heap%20overflow-rabbitmq%20web%20management%20plugin
Trust: 1.6
url:https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11287
Trust: 1.4
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/pytgr3d5fw2o25rxzotizmod2hauvbe4/
Trust: 1.0
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/eeq6o7pmnjkyfmqyhab55l423gyk63so/
Trust: 1.0
url:https://access.redhat.com/security/cve/cve-2019-11287
Trust: 0.7
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/pytgr3d5fw2o25rxzotizmod2hauvbe4/
Trust: 0.6
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/eeq6o7pmnjkyfmqyhab55l423gyk63so/
Trust: 0.6
url:https://packetstormsecurity.com/files/163278/ubuntu-security-notice-usn-5004-1.html
Trust: 0.6
url:https://packetstormsecurity.com/files/155914/red-hat-security-advisory-2020-0078-01.html
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2021.2432
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2021.2233
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0135/
Trust: 0.6
url:https://launchpad.net/ubuntu/+source/rabbitmq-server/3.6.10-1ubuntu0.5
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.9-2ubuntu0.1
Trust: 0.1
url:https://ubuntu.com/security/notices/usn-5004-1
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.5-1ubuntu0.2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.2-0ubuntu1.3
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2021-22116
Trust: 0.1
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.1
url:https://access.redhat.com/articles/11258
Trust: 0.1
url:https://bugzilla.redhat.com/):
Trust: 0.1
url:https://access.redhat.com/security/team/key/
Trust: 0.1
url:https://access.redhat.com/security/team/contact/
Trust: 0.1
url:https://access.redhat.com/security/updates/classification/#important
Trust: 0.1
sources:
            
            
            JVNDB: JVNDB-2019-012564 // 
            
            
            
            PACKETSTORM: 163278 // 
            
            
            
            PACKETSTORM: 155914 // 
            
            
            
            CNNVD: CNNVD-201911-1307 // 
            
            
            
            NVD: CVE-2019-11287

CREDITS
Red Hat
Trust: 0.7
sources:
            
            
            PACKETSTORM: 155914 // 
            
            
            
            CNNVD: CNNVD-201911-1307

SOURCES
db:JVNDBid:JVNDB-2019-012564
db:PACKETSTORMid:163278
db:PACKETSTORMid:155914
db:CNNVDid:CNNVD-201911-1307
db:NVDid:CVE-2019-11287

LAST UPDATE DATE
2025-04-02T19:57:39.118000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2019-012564date:2019-12-05T00:00:00
db:CNNVDid:CNNVD-201911-1307date:2021-08-05T00:00:00
db:NVDid:CVE-2019-11287date:2025-04-02T14:13:43.180

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2019-012564date:2019-12-05T00:00:00
db:PACKETSTORMid:163278date:2021-06-24T17:57:46
db:PACKETSTORMid:155914date:2020-01-13T18:04:22
db:CNNVDid:CNNVD-201911-1307date:2019-11-22T00:00:00
db:NVDid:CVE-2019-11287date:2019-11-23T00:15:10.683