CVE-2021-43799: 
NixOS vulnerability analysis and mitigation

In versions of Zulip Server prior to 4.9, the initial installation (until first reboot or restart of RabbitMQ) did not successfully limit the RabbitMQ distribution port 25672, which is used for inter-node communication. The vulnerability was identified as CVE-2021-43799 and was disclosed on January 25, 2022. The issue affected Zulip Server installations using RabbitMQ for internal message passing (GHSA Advisory).

The vulnerability stems from RabbitMQ's default "cookie" which protects port 25672 being generated using a weak PRNG (Pseudorandom Number Generator). The entropy of the password was limited to at most 36 bits, but due to biased seed randomization, it effectively had only approximately 20 bits of entropy. The cookie was generated as a 20-character string using only capital letters, significantly reducing its security strength (GHSA Advisory, Zulip Commit).

If other firewalls (at the OS or network level) did not protect port 25672, a remote attacker could brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary code execution as the rabbitmq user. Additionally, attackers could read all data transmitted through RabbitMQ, including all message traffic sent by users (GHSA Advisory).

The issue was fixed in Zulip 4.9 by implementing a more secure cookie generation system. Workarounds include ensuring firewalls prevent access to port 25672 from outside the Zulip server, restarting the rabbitmq-server service, or stopping rabbitmq-server and generating a new secure Erlang magic cookie in /var/lib/rabbitmq/.erlang.cookie before restarting (GHSA Advisory).