CVE-2024-21646: 
CBL Mariner vulnerability analysis and mitigation

Azure uAMQP, a general purpose C library for AMQP 1.0 protocol communication, was found to contain a critical vulnerability (CVE-2024-21646) that was disclosed on January 8, 2024. The vulnerability affects all versions prior to 2024-01-01 of the UAMQP library, which is used by several clients to implement AMQP protocol communication (GitHub Advisory).

The vulnerability stems from an integer overflow or wraparound condition that occurs when clients using this library receive crafted binary type data. This can lead to memory safety issues during the processing of AMQP_VALUE failed states. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature. The issue is tracked under CWE-190 (Integer Overflow or Wraparound) and CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability can potentially lead to remote code execution (RCE) when exploited successfully. This is particularly concerning for IoT devices and systems that use the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices using the AMQP protocol. The impact affects both embedded devices running on systems like FreeRTOS or Azure RTOS, as well as Linux and Windows-based devices (GitHub Advisory).

The vulnerability has been patched in release 2024-01-01. Users are strongly advised to update to this version or later. The fix was implemented through commit 12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe, which addresses the integer overflow issue in binary_value size malloc (GitHub Patch).