Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT and edge computing.
The NATS Server supports MQTT clients and can bridge MQTT activity into NATS subjects across routes and leafnode connections.
Problem Description
An MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections.
This could corrupt the forwarded protocol stream and allow injection of unintended NATS protocol operations, potentially across cluster nodes or accounts where route or gateway connections are present.
Anonymous MQTT deployments are higher risk because no credentials are required to reach the affected parser. Authenticated deployments are still affected for clients allowed to create MQTT subscriptions.
Affected Versions
Versions v2.14.0, v2.12.8 and below are vulnerable. The issue is fixed in v2.14.1 and v2.12.9.
Workarounds
Disable anonymous MQTT access where it is not required. Deployments that need MQTT have no known complete workaround other than upgrading.
References
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT and edge computing.
The NATS Server supports MQTT clients and can bridge MQTT activity into NATS subjects across routes and leafnode connections.
Problem Description
An MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections.
This could corrupt the forwarded protocol stream and allow injection of unintended NATS protocol operations, potentially across cluster nodes or accounts where route or gateway connections are present.
Anonymous MQTT deployments are higher risk because no credentials are required to reach the affected parser. Authenticated deployments are still affected for clients allowed to create MQTT subscriptions.
Affected Versions
Versions v2.14.0, v2.12.8 and below are vulnerable. The issue is fixed in v2.14.1 and v2.12.9.
Workarounds
Disable anonymous MQTT access where it is not required. Deployments that need MQTT have no known complete workaround other than upgrading.
References