RabbitMQ, a popular open-source multi-protocol messaging and streaming broker, has been found to have security vulnerabilities. In affected versions, queue deletion through the HTTP API did not verify the configure permission of the user. As a result, users who had valid credentials, some permissions for the target virtual host, and access to the HTTP API could delete queues they were not authorized to delete. In this article, we will explore the details of this vulnerability, the affected versions, and how to mitigate the issue.

Details of the Issue

The vulnerability (CVE-2024-51988) lies in the fact that the RabbitMQ management plugin's queue deletion via the HTTP API does not verify the configure permission of the user. Consequently, users who have valid credentials, some permissions for the target virtual host, and HTTP API access can delete queues for which they do not have deletion permissions.

Here's a code snippet demonstrating the queue deletion via HTTP API

import requests

def delete_queue(vhost, queue, username, password):
    url = f"http://rabbitmq.server:15672/api/queues/{vhost}/{queue}";
    auth = (username, password)
    headers = {"content-type": "application/json"}
    
    response = requests.delete(url, auth=auth, headers=headers)
    if response.status_code == 204:
        print(f"Queue '{queue}' deleted successfully.")
    else:
        print(f"Error: {response.status_code} - {response.text}")

delete_queue("test_vhost", "test_queue", "user", "password")

Mitigation Measures

It's highly recommended to upgrade to the latest RabbitMQ versions, which have addressed this security issue:

For Tanzu RabbitMQ, upgrade to versions 1.5.2, 3.13., or 4...

If upgrading is not possible, users can disable the management plugin and use alternative monitoring and management tools like Prometheus and Grafana.

Here are the original references to the issue CVE-2024-51988

1. RabbitMQ's official blog post on the issue: CVE-2024-51988
2. RabbitMQ's repository issue report: Issue #329

Conclusion

Security vulnerabilities such as unauthorized queue deletion through the HTTP API in RabbitMQ's management plugin can have severe consequences in a production environment. Ensure that you upgrade to the latest versions to patch the vulnerability and take necessary precautions to protect your RabbitMQ installations. Remember to always be vigilant about security and stay updated on the latest patches and fixes.

Timeline

Published on: 11/06/2024 20:15:06 UTC
Last modified on: 11/08/2024 19:01:25 UTC