Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
Message brokers are software applications that serve as a messaging hub for complex systems. They provide reliable communication channels between different components, serving as the nerve center of a complex system. As such, message brokers can also be a central point of failure. If the message broker dies, system components won’t be able to communicate.
CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message brokers. They give attackers the opportunity to disable the message brokers, a denial-of-service attack that could have serious consequences.
Open source message brokers, like other open source components, offer amazing functionality, but must be managed properly. When new vulnerabilities are discovered, the organisation must make sure to update open source components to versions in which known vulnerabilities are fixed. Software Composition Analysis (SCA) tools automate much of this work and can automatically notify development or operations teams when new vulnerabilities are discovered in any used open source components.