Bug 1961638 (CVE-2021-22116)

Summary: CVE-2021-22116 rabbitmq-server: improper input validation may lead to DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, cmeyers, dbecker, gblomqui, jeckersb, jjoyce, jschluet, lemenkov, lhh, lpeer, mabashia, mburns, notting, plemenko, rjones, rpetrell, sclewis, slinaber, smcdonal, s
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rabbitmq-server 3.8.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rabbitmq-server, where insufficient input validation in the AMQP 1.0 client connection endpoint could allow a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-09 21:03:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961640, 1961641    
Bug Blocks: 1961642    

Description Marian Rehak 2021-05-18 11:51:11 UTC 
RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

External Reference:

https://tanzu.vmware.com/security/cve-2021-22116
Comment 1 Marian Rehak 2021-05-18 11:52:15 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: epel-7 [bug 1961641]
Affects: fedora-all [bug 1961640]
Comment 2 Bill Nottingham 2021-05-18 14:44:28 UTC 
All versions of Ansible Tower that used RabbitMQ (Tower versions 3.6 and earlier) are now EOL.
Comment 3 Tapas Jena 2021-05-20 05:14:17 UTC 
Hi, marking this as "Not affected" for Ansible Tower as RabbitMQ is no more relevant to Tower Or AAP.
Comment 4 Product Security DevOps Team 2021-06-09 21:03:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22116
Comment 5 Summer Long 2021-06-17 06:38:35 UTC 
https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.15