https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Bug ID: 1174872
Summary: rabbitmq-server: insufficient 'X-Forwarded-For' header
validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
In RabbitMQ, the 'loopback_users' configuration directive allows to specify a
list of users that are only permitted to connect to the broker via localhost.
It was found that the RabbitMQ's management plug-in did not sufficiently
validate the 'X-Forwarded-For' header when determining the remote address. A
remote attacker able to send a specially crafted 'X-Forwarded-For' header to
RabbitMQ could use this flaw to connect to the broker as if they were a
localhost user. Note that the attacker must know valid user credentials in
order to connect to the broker.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt
--
You are receiving this mail because:
You are on the CC list for the bug.