Information disclosure due to outdated engine version in AWS MQ Broker

High Risk information-disclosure
awsmqmessage-brokeroutdated-softwaresecurity-patchesversion-managementactivemqrabbitmq

What it is

AWS MQ brokers running outdated or deprecated engine versions are exposed to known security vulnerabilities that have been patched in newer releases. These vulnerabilities can be exploited by attackers to read or alter messages, escalate privileges, cause denial of service, or gain unauthorized access to the message broker system, compromising the confidentiality, integrity, and availability of message data.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

AWS MQ brokers configured with deprecated engine_version values in Terraform or CloudFormation that are no longer supported by AWS. These outdated versions lack critical security patches and expose message broker systems to known vulnerabilities.

Root causes

Deprecated Engine Version Configuration

AWS MQ brokers configured with deprecated engine_version values in Terraform or CloudFormation that are no longer supported by AWS. These outdated versions lack critical security patches and expose message broker systems to known vulnerabilities.

Unsupported Apache ActiveMQ or RabbitMQ Versions

Message brokers running end-of-life versions of Apache ActiveMQ or RabbitMQ that no longer receive security updates from upstream maintainers. Attackers can exploit publicly disclosed vulnerabilities with available proof-of-concept exploits.

Missing Automatic Minor Version Upgrades

AWS MQ broker configurations don't enable auto_minor_version_upgrade, requiring manual version updates. Without automatic upgrades, security patches aren't applied during maintenance windows, leaving brokers vulnerable for extended periods.

Absent Version Update Maintenance Schedules

Organizations lack documented processes and schedules for regularly reviewing and updating MQ broker engine versions. No procedures ensure timely evaluation and application of available security updates and patches.

Inadequate Security Advisory Monitoring

Teams don't actively monitor AWS security bulletins, ActiveMQ/RabbitMQ security advisories, or CVE databases for vulnerabilities affecting their message broker versions. New vulnerabilities go undetected until exploited.

Missing Vulnerability Scanning Infrastructure

No automated vulnerability scanning tools assess AWS MQ broker versions against known CVEs. Organizations lack visibility into which brokers are running vulnerable versions requiring immediate updates.

Fixes

1

Update to Supported Engine Version

Upgrade AWS MQ brokers to the latest supported engine_version in Terraform or CloudFormation configurations. Check AWS documentation for current supported versions of ActiveMQ and RabbitMQ, and update your infrastructure code to use these versions. This eliminates known vulnerabilities and provides access to the latest security features and improvements.

2

Enable Automatic Minor Version Upgrades

Set auto_minor_version_upgrade = true in AWS MQ broker configurations. This ensures the broker automatically applies minor version updates that include security patches during scheduled maintenance windows without manual intervention, keeping brokers protected against newly disclosed vulnerabilities.

3

Implement Version Monitoring and Alerting

Deploy CloudWatch alarms and AWS Config rules to monitor MQ broker engine versions. Create alerts that trigger when brokers run deprecated or unsupported versions. Integrate with Security Hub to track version compliance across all brokers, providing visibility for proactive update planning.

4

Establish Maintenance Window Schedules

Define and configure regular maintenance windows for AWS MQ broker upgrades using the maintenance_window_start_time parameter. Schedule major version upgrades and security updates during low-traffic periods, ensuring systematic evaluation and application of patches with minimal service disruption.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to outdated engine version in aws mq broker and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities