CVE-2023-46118 Overview
CVE-2023-46118 is a Denial of Service (DoS) vulnerability affecting RabbitMQ, a widely-used multi-protocol messaging and streaming broker. The vulnerability exists in the HTTP API, which fails to enforce an HTTP request body limit, allowing authenticated attackers to send extremely large messages that can overwhelm the target node and trigger an out-of-memory termination.
Critical Impact
An authenticated user with sufficient credentials can exploit this vulnerability to cause a complete denial of service on the RabbitMQ node by publishing very large messages via the HTTP API, potentially disrupting critical messaging infrastructure.
Affected Products
- VMware RabbitMQ versions prior to 3.11.24
- VMware RabbitMQ versions prior to 3.12.7
Discovery Timeline
- October 25, 2023 - CVE-2023-46118 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-46118
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a resource exhaustion vulnerability that allows attackers to deplete system resources. The flaw stems from the RabbitMQ HTTP API's failure to impose size restrictions on incoming HTTP request bodies. When an authenticated attacker sends oversized message payloads through the management HTTP API, the server attempts to process and allocate memory for these requests without proper bounds checking. This behavior can rapidly consume available system memory, ultimately triggering the operating system's out-of-memory (OOM) killer mechanism to terminate the RabbitMQ process.
The attack requires authentication, meaning an attacker must possess valid credentials with permissions to publish messages via the HTTP API. While this requirement limits the attack surface, compromised credentials or malicious insiders could exploit this vulnerability to take down critical messaging infrastructure.
Root Cause
The root cause of CVE-2023-46118 lies in the absence of input validation and size limits on HTTP request bodies within the RabbitMQ HTTP API. The API accepts arbitrarily large payloads without enforcing reasonable boundaries, creating a resource exhaustion condition. This design oversight allows memory consumption to scale directly with the size of attacker-controlled input, enabling denial of service through resource depletion.
Attack Vector
The attack is network-based and requires authentication. An attacker with valid credentials can target the RabbitMQ HTTP API endpoint, typically accessible on port 15672 by default. By crafting HTTP POST requests with extremely large message bodies directed at message publishing endpoints, the attacker forces the server to allocate memory proportional to the payload size. Repeated requests or a single sufficiently large request can exhaust available memory, causing the Linux OOM killer or similar mechanism to terminate the RabbitMQ process.
The attack flow involves:
- Authenticating to the RabbitMQ HTTP API with valid credentials
- Sending HTTP POST requests with oversized payloads to message publishing endpoints
- Triggering memory exhaustion on the target node
- Causing process termination via the system's OOM killer
Detection Methods for CVE-2023-46118
Indicators of Compromise
- Unusually large HTTP POST requests to the RabbitMQ management API (port 15672)
- Sudden memory consumption spikes on RabbitMQ server nodes
- OOM killer events in system logs referencing RabbitMQ processes
- Unexpected RabbitMQ service restarts or terminations
Detection Strategies
- Monitor HTTP request body sizes to the RabbitMQ management API and alert on anomalously large payloads
- Implement network-level inspection to identify oversized HTTP requests targeting RabbitMQ endpoints
- Configure system monitoring to detect rapid memory consumption patterns on nodes running RabbitMQ
- Review authentication logs for suspicious API activity patterns from unusual accounts
Monitoring Recommendations
- Enable detailed access logging for the RabbitMQ HTTP API to capture request metadata
- Set up alerting thresholds for memory utilization on RabbitMQ nodes
- Monitor system logs for OOM killer activity and correlate with RabbitMQ process terminations
- Implement rate limiting and request size monitoring at load balancer or reverse proxy layers
How to Mitigate CVE-2023-46118
Immediate Actions Required
- Upgrade RabbitMQ to version 3.11.24 or later for the 3.11.x branch
- Upgrade RabbitMQ to version 3.12.7 or later for the 3.12.x branch
- Review and restrict HTTP API access to only essential administrative accounts
- Implement network-level controls to limit access to the RabbitMQ management API
Patch Information
VMware has released patched versions that address this vulnerability by implementing proper HTTP request body size limits. The fix is available in RabbitMQ versions 3.11.24 and 3.12.7. Organizations should update to these versions or later to remediate the vulnerability. Additional details are available in the GitHub Security Advisory GHSA-w6cq-9cf4-gqpg. Debian users should refer to Debian Security Advisory DSA-5571 and the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Place a reverse proxy or web application firewall in front of the RabbitMQ HTTP API to enforce request body size limits
- Restrict network access to the management API by binding it to localhost or internal networks only
- Implement strict credential management and limit the number of accounts with HTTP API publishing permissions
- Configure resource limits and monitoring to detect and respond to memory exhaustion attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
