Amazon MQ RabbitMQ-AWS Plugin Debug Code Vulnerability Allowing Arbitrary File Read

A vulnerability exists in the Amazon MQ RabbitMQ-AWS plugin, specifically in versions 0.1.0 through 0.2.0, due to active debug code in the ARN resolver. This debug code introduces a scheme (arn:aws-debug:file) that can be used with the validation endpoint PUT /api/aws/arn/validate. Remote authenticated users may exploit this to read any file accessible to the RabbitMQ process, potentially including sensitive information such as TLS certificates, private keys, and passwords.

Impact

Exploitation of this vulnerability allows for arbitrary file reads on the server, with the potential to access sensitive information like passwords and TLS private keys, depending on the files available to the RabbitMQ process.

Remediation

Users are advised to upgrade to RabbitMQ-AWS version 0.2.1, which removes the debug ARN format. If the plugin has been used to read sensitive files, such as TLS private keys, those secrets should be rotated. The plugin can also be temporarily disabled, but this will remove ARN resolution at startup, requiring a fallback to filesystem-based certificate configuration.