There's a vulnerability in the web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1783319]
Created rabbitmq-server tracking bugs for this issue: Affects: openstack-rdo [bug 1783324]
External References: https://pivotal.io/security/cve-2019-11287
Mitigation: This flaw can be mitigated by disabling the Web Management plugin: rabbitmq-plugins disable rabbitmq_management.
Statement: Red Hat Ansible Tower and Red Hat CloudForms are not vulnerable as they do not expose the RabbitMQ management interface by default. In Red Hat OpenStack Platform 13, the management interface was not enabled by default. So, although the flaw code was packaged, its impact for this version has been lowered to Moderate.
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0078 https://access.redhat.com/errata/RHSA-2020:0078
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11287