RabbitMQ last vulnerabilities #3147

ophirzk · 2021-06-24T18:12:20Z

ophirzk
Jun 24, 2021

Hi,

The last 2 security vulnerabilities: CVE-2021-22117 and CVE-2021-22116 have been solved in version 3.8.16 but it is not clear if they are relevant to RabbitMQ version prior to 3.8.x.
In CVE-2021-22117, "obsolete-default.x" is mentioned:

Do "obsolete-default.x" versions mean versions that are out of support (prior to 3.8.x)?

In CVE-2021-22116 there is no "obsolete-default.x", but it might be relevant to RabbitMQ 3.7/3.6 as well.
Is it relevant to 3.7.x/3.6.x as well?
I know that everyone should upgrade to the latest major version, but there are a lot of users who haven't (for their own reasons).

Links:
https://tanzu.vmware.com/security/cve-2021-22116
https://tanzu.vmware.com/security/cve-2021-22117

Answered by michaelklishin

Jul 1, 2021

Unless otherwise mentioned, a vulnerability is applicable to all earlier releases.

RabbitMQ 3.7 and 3.6 are both out of support (3.6 has been out of support for years) so
we did not try to reproduce with their final patches but I'm quite certain that all CVEs addressed since 3.8.14 are also present there.

View full answer

michaelklishin · 2021-07-01T08:55:58Z

michaelklishin
Jul 1, 2021
Maintainer

Unless otherwise mentioned, a vulnerability is applicable to all earlier releases.

RabbitMQ 3.7 and 3.6 are both out of support (3.6 has been out of support for years) so
we did not try to reproduce with their final patches but I'm quite certain that all CVEs addressed since 3.8.14 are also present there.

0 replies

michaelklishin · 2021-07-01T08:59:29Z

michaelklishin
Jul 1, 2021
Maintainer

@ophirzk users of 3.6 and 3.7 should understand that those series will not get any more patches, even security patches, even for high severity vulnerabilities.

That said, RabbitMQ is open source software and all patches are publicly available. All three security patches after 3.8.14
are quite small so it should be possible to back port them
for those who absolutely cannot upgrade.

We are aware of one person who volunteered to try it for older Debian distributions. They contacted [email protected] and
asked how to identify the relevant changes (specific commits) and was given (I hope) enough information.

3 replies

ophirzk Jul 1, 2021
Author

@michaelklishin
This it is a very valuable information.
Thank you.

StayPirate Jul 21, 2021

That said, RabbitMQ is open source software and all patches are publicly available. All three security patches after 3.8.14
are quite small so it should be possible to back port them
for those who absolutely cannot upgrade.

Can you point me out which is the commit that mitigates CVE-2021-22116, I dove into these 36 commits between v3.8.15 and v3.8.16, and TBH I have not figured out where this patch is.

StayPirate Aug 4, 2021

@michaelklishin ^

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RabbitMQ last vulnerabilities #3147

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

RabbitMQ last vulnerabilities #3147

Uh oh!

Uh oh!

ophirzk Jun 24, 2021

Replies: 2 comments · 3 replies

Uh oh!

michaelklishin Jul 1, 2021 Maintainer

Uh oh!

michaelklishin Jul 1, 2021 Maintainer

Uh oh!

ophirzk Jul 1, 2021 Author

Uh oh!

StayPirate Jul 21, 2021

Uh oh!

StayPirate Aug 4, 2021

ophirzk
Jun 24, 2021

Replies: 2 comments 3 replies

michaelklishin
Jul 1, 2021
Maintainer

michaelklishin
Jul 1, 2021
Maintainer

ophirzk Jul 1, 2021
Author