Bug 1783318 (CVE-2019-11287) - CVE-2019-11287 rabbitmq-server: "X-Reason" HTTP Header can be leveraged to insert a malicious string leading to DoS
Summary: CVE-2019-11287 rabbitmq-server: "X-Reason" HTTP Header can be leveraged to in...
Alias: CVE-2019-11287
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1783324 1783319 1784274 1784275 1784276
Blocks: 1783322
TreeView+ depends on / blocked
Reported: 2019-12-13 15:00 UTC by Marian Rehak
Modified: 2020-01-13 14:09 UTC (History)
29 users (show)

Fixed In Version: rabbitmq-server 3.7.21, rabbitmq-server 3.8.1
Doc Type: If docs needed, set a value
Doc Text:
A resource-consumption flaw was identified in the rabbitmq-server web management plugin. Utilizing a malicious 'X-Reason' HTTP header, a remote attacker could insert a malicious Erlang format string which will expand and consume heap memory, resulting in a crash. The highest threat from this vulnerability is system availability.
Clone Of:
Last Closed: 2020-01-13 14:09:33 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0078 None None None 2020-01-13 10:11:38 UTC

Description Marian Rehak 2019-12-13 15:00:06 UTC
There's a vulnerability in the web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Comment 1 Marian Rehak 2019-12-13 15:00:22 UTC
Created rabbitmq-server tracking bugs for this issue:

Affects: fedora-all [bug 1783319]

Comment 2 Marian Rehak 2019-12-13 15:01:34 UTC
Created rabbitmq-server tracking bugs for this issue:

Affects: openstack-rdo [bug 1783324]

Comment 8 Summer Long 2020-01-06 00:34:30 UTC
External References:


Comment 11 Nick Tait 2020-01-08 23:56:58 UTC

This flaw can be mitigated by disabling the Web Management plugin: rabbitmq-plugins disable rabbitmq_management.

Comment 15 Summer Long 2020-01-09 04:27:09 UTC

Red Hat Ansible Tower and Red Hat CloudForms are not vulnerable as they do not expose the RabbitMQ management interface by default. 
In Red Hat OpenStack Platform 13, the management interface was not enabled by default. So, although the flaw code was packaged, its impact for this version has been lowered to Moderate.

Comment 16 errata-xmlrpc 2020-01-13 10:11:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:0078 https://access.redhat.com/errata/RHSA-2020:0078

Comment 17 Product Security DevOps Team 2020-01-13 14:09:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.