CVE-2019-11287

Name of the Vulnerable Software and Affected Versions Pivotal RabbitMQ versions 3.7.x prior to 3.7.21 Pivotal RabbitMQ versions 3.8.x prior to 3.8.1 RabbitMQ for Pivotal Platform versions 1.16.x prior to 1.16.7 RabbitMQ for Pivotal Platform versions 1.17.x prior to 1.17.4

Description The issue is related to an error in the "X-Reason" HTTP header, which can be exploited to cause a denial of service attack. This can be achieved by inserting a malicious Erlang format string through the "X-Reason" HTTP Header, resulting in the server crashing due to heap consumption.

Recommendations For Pivotal RabbitMQ versions 3.7.x prior to 3.7.21, update to version 3.7.21 or later. For Pivotal RabbitMQ versions 3.8.x prior to 3.8.1, update to version 3.8.1 or later. For RabbitMQ for Pivotal Platform versions 1.16.x prior to 1.16.7, update to version 1.16.7 or later. For RabbitMQ for Pivotal Platform versions 1.17.x prior to 1.17.4, update to version 1.17.4 or later. As a temporary workaround, consider restricting access to the web management plugin to minimize the risk of exploitation.