Rabbit MQ 3.7 and CVE-2019-11287
Article ID: 315820
Updated On:
Products
VMware Tanzu RabbitMQ
Issue/Introduction
Smarts 10.1.12 version and prior use RabbitMQ 3.7 and has been associated with CVE-2019-11287
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
NVD - CVE-2019-11287 (nist.gov)
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
NVD - CVE-2019-11287 (nist.gov)
Environment
VMware Smart Assurance - SMARTS
Resolution
Vmware will upgrade Smarts RabbitMQ in a future release.
Currently the Smarts RabbitMQ is an edited version specifically for the Smarts RabbitMQ / EDAA and Elasticsearch functions of Smarts for use with Watch4net
Customers will not be able to manually upgrade RabbitMQ within Smarts SAM installs.
Feedback
Yes
No
Powered by
