Does RabbitMQ use Erlang/OTP SSH library? Is it affected by CVE-2025-32433?

[manoj365study]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I run RabbitMQ 4.x, the only series currently covered by community support
• I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.0.5

Erlang version used

27.2.x

Operating system (distribution) used

Linux

How is RabbitMQ deployed?

RPM package

rabbitmq-diagnostics status output

Cluster status of node rabbit@manojclog--0 ...
Basics

Cluster name: [email protected]
Total CPU cores available cluster-wide: 12

Disk Nodes

rabbit@manojclog--0

Running Nodes

rabbit@manojclog--0

Versions

rabbit@manojclog--0: RabbitMQ 4.0.3 on Erlang 26.2.5.5

CPU Cores

Node: rabbit@manojclog--0, available CPU cores: 12

Maintenance status

Node: rabbit@manojclog--0, status: not under maintenance

Alarms

(none)

Network Partitions

(none)

Listeners

Node: rabbit@manojclog--0, interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: rabbit@manojclog--0, interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Node: rabbit@manojclog--0, interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: rabbit@manojclog--0, interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Feature flags

Flag: classic_mirrored_queue_version, state: enabled
Flag: classic_queue_type_delivery_support, state: enabled
Flag: detailed_queues_endpoint, state: enabled
Flag: direct_exchange_routing_v2, state: enabled
Flag: drop_unroutable_metric, state: enabled
Flag: empty_basic_get_metric, state: enabled
Flag: feature_flags_v2, state: enabled
Flag: implicit_default_bindings, state: enabled
Flag: khepri_db, state: disabled
Flag: listener_records_in_ets, state: enabled
Flag: maintenance_mode_status, state: enabled
Flag: message_containers, state: enabled
Flag: message_containers_deaths_v2, state: enabled
Flag: quorum_queue, state: enabled
Flag: quorum_queue_non_voters, state: enabled
Flag: rabbit_exchange_type_local_random, state: enabled
Flag: rabbitmq_4.0.0, state: enabled
Flag: restart_streams, state: enabled
Flag: stream_filtering, state: enabled
Flag: stream_queue, state: enabled
Flag: stream_sac_coordinator_unblock_group, state: enabled
Flag: stream_single_active_consumer, state: enabled
Flag: stream_update_config_command, state: enabled
Flag: tracking_records_in_ets, state: enabled
Flag: user_limits, state: enabled
Flag: virtual_host_metadata, state: enabled

Logs from node 1 (with sensitive values edited out)

Cluster status of node rabbit@manojclog--0 ...
Basics

Cluster name: [email protected]
Total CPU cores available cluster-wide: 12

Disk Nodes

rabbit@manojclog--0

Running Nodes

rabbit@manojclog--0

Versions

rabbit@manojclog--0: RabbitMQ 4.0.3 on Erlang 26.2.5.5

CPU Cores

Node: rabbit@manojclog--0, available CPU cores: 12

Maintenance status

Node: rabbit@manojclog--0, status: not under maintenance

Alarms

(none)

Network Partitions

(none)

Listeners

Node: rabbit@manojclog--0, interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: rabbit@manojclog--0, interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Node: rabbit@manojclog--0, interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: rabbit@manojclog--0, interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Feature flags

Flag: classic_mirrored_queue_version, state: enabled
Flag: classic_queue_type_delivery_support, state: enabled
Flag: detailed_queues_endpoint, state: enabled
Flag: direct_exchange_routing_v2, state: enabled
Flag: drop_unroutable_metric, state: enabled
Flag: empty_basic_get_metric, state: enabled
Flag: feature_flags_v2, state: enabled
Flag: implicit_default_bindings, state: enabled
Flag: khepri_db, state: disabled
Flag: listener_records_in_ets, state: enabled
Flag: maintenance_mode_status, state: enabled
Flag: message_containers, state: enabled
Flag: message_containers_deaths_v2, state: enabled
Flag: quorum_queue, state: enabled
Flag: quorum_queue_non_voters, state: enabled
Flag: rabbit_exchange_type_local_random, state: enabled
Flag: rabbitmq_4.0.0, state: enabled
Flag: restart_streams, state: enabled
Flag: stream_filtering, state: enabled
Flag: stream_queue, state: enabled
Flag: stream_sac_coordinator_unblock_group, state: enabled
Flag: stream_single_active_consumer, state: enabled
Flag: stream_update_config_command, state: enabled
Flag: tracking_records_in_ets, state: enabled
Flag: user_limits, state: enabled
Flag: virtual_host_metadata, state: enabled

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

default

Steps to deploy RabbitMQ cluster

install rpm in rocky8 linux container and deploy docker comtainer

Steps to reproduce the behavior in question

none

advanced.config

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find advanced.config file location

# PASTE advanced.config HERE, BETWEEN BACKTICKS

Application code

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

As per GHSA-37cp-fgq5-7wc2 this vulnerability, is rabbitmq impacted in any way.

Does rabbitmq use erlang ssh library? if yes should take the fix given. If not, can we say it is not impacted?

[ansd]

Duplicate of #13778