CVE-2020-36282
📋 TL;DR
CVE-2020-36282 is a critical deserialization vulnerability in RabbitMQ JMS Client that allows remote code execution when processing malicious StreamMessage data. Attackers can exploit this to execute arbitrary code on affected systems. This affects all users of RabbitMQ JMS Client versions 1.x before 1.15.2 and 2.x before 2.2.0.
💻 Affected Systems
- RabbitMQ JMS Client
📦 What is this software?
Jms Client by Rabbitmq
Jms Client by Rabbitmq
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected server, potentially leading to data theft, lateral movement, and persistent backdoors.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential pivot to other systems in the network.
If Mitigated
Limited impact with proper network segmentation and least privilege controls, potentially containing the exploit to isolated environments.
🎯 Exploit Status
Exploitation requires sending crafted StreamMessage data to vulnerable endpoints. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15.2 for 1.x, 2.2.0 for 2.x
Vendor Advisory: https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.15.2
Restart Required: Yes
Instructions:
1. Identify affected RabbitMQ JMS Client installations. 2. Update to version 1.15.2 (for 1.x) or 2.2.0 (for 2.x). 3. Restart all applications using the updated client. 4. Verify the fix by checking version numbers.
🔧 Temporary Workarounds
Disable StreamMessage Processing
allTemporarily disable or restrict StreamMessage functionality if not required.
Configure application to reject or sanitize StreamMessage data
Network Segmentation
linuxIsolate vulnerable systems from untrusted networks and implement strict firewall rules.
iptables -A INPUT -p tcp --dport 5672 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 5672 -j DROP
🧯 If You Can't Patch
- Implement strict network controls to limit access to RabbitMQ endpoints
- Deploy runtime application protection (RASP) or WAF with deserialization protection
🔍 How to Verify
Check if Vulnerable:
Check the RabbitMQ JMS Client version in your application dependencies or classpath. Versions 1.0.0-1.15.1 or 2.0.0-2.1.x are vulnerable.Check Version:
Check Maven/Gradle dependencies or examine JAR manifest: java -jar rabbitmq-jms-client.jar --versionVerify Fix Applied:
Confirm the RabbitMQ JMS Client version is 1.15.2 or higher for 1.x, or 2.2.0 or higher for 2.x.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing 'StreamMessage' or deserialization classes
- Unexpected process execution from RabbitMQ client
Network Indicators:
- Malformed or unusually large StreamMessage payloads to RabbitMQ ports
- Suspicious serialized object patterns in network traffic
SIEM Query:
source="rabbitmq" AND (error="deserialization" OR error="StreamMessage")🔗 References
- https://github.com/rabbitmq/rabbitmq-jms-client/issues/135
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.15.2
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v2.2.0
- https://medium.com/%40ramon93i7/a99645d0448b
- https://github.com/rabbitmq/rabbitmq-jms-client/issues/135
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.15.2
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v2.2.0
- https://medium.com/%40ramon93i7/a99645d0448b
