https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Bug ID: 1185514 Summary: RabbitMQ: /api/... XSS vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: kseifried@redhat.com CC: abaron@redhat.com, aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, chrisw@redhat.com, dallan@redhat.com, erlang@lists.fedoraproject.org, gkotton@redhat.com, hubert.plociniczak@gmail.com, jeckersb@redhat.com, josh@fornwall.com, lemenkov@gmail.com, lhh@redhat.com, lpeer@redhat.com, markmc@redhat.com, pmyers@redhat.com, rbryant@redhat.com, rjones@redhat.com, s@shk.io, sclewis@redhat.com, yeylon@redhat.com
26437 prevent /api/* from returning text/html error messages which could act as an XSS vector (since 2.1.0)
Bug 26437 allowed an attacker to create a URL to "/api/..." which would provoke an internal server error, resulting in the server returning an html page with text from the URL embedded and not escaped. This was fixed by ensuring all URLs below /api/ only ever return responses with a content type of application/json, even in the case of an internal server error.
Upstream patches: http://hg.rabbitmq.com/rabbitmq-web-dispatch/rev/caf3d0a80cf3
References: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1185513
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=new,e |a-all/rabbitmq-server=affec |pel-all/rabbitmq-server=new |ted,epel-all/rabbitmq-serve |,openstack-5-rhel6/rabbitmq |r=affected,openstack-5-rhel |-server=new,openstack-5-rhe |6/rabbitmq-server=new,opens |l7/rabbitmq-server=new,open |tack-5-rhel7/rabbitmq-serve |stack-6/rabbitmq-server=new |r=new,openstack-6/rabbitmq- | |server=new
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1185516 Depends On| |1185517
--- Comment #1 from Kurt Seifried kseifried@redhat.com ---
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1185516] Affects: epel-all [bug 1185517]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185516 [Bug 1185516] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185517 [Bug 1185517] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-9649
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|RabbitMQ: /api/... XSS |CVE-2014-9649 RabbitMQ: |vulnerability |/api/... XSS vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gmollett@redhat.com Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5-rhel |6/rabbitmq-server=new,opens |6/rabbitmq-server=affected, |tack-5-rhel7/rabbitmq-serve |openstack-5-rhel7/rabbitmq- |r=new,openstack-6/rabbitmq- |server=affected,openstack-6 |server=new |/rabbitmq-server=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5/rabb |6/rabbitmq-server=affected, |itmq-server=defer,openstack |openstack-5-rhel7/rabbitmq- |-6/rabbitmq-server=defer |server=affected,openstack-6 | |/rabbitmq-server=affected |
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Peter Lemenkov plemenko@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |plemenko@redhat.com Fixed In Version| |rabbitmq-server-3.5.1-1.fc2 | |2 Resolution|--- |ERRATA Last Closed| |2015-10-23 17:17:49
--- Comment #2 from Peter Lemenkov plemenko@redhat.com --- Both this and corresponding bug 1185515 were addressed in RabbitMQ 3.4.1. We already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+.
As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the upcoming F23.
https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Bug 1185514 depends on bug 1185516, which changed state.
Bug 1185516 Summary: rabbitmq-server: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185516
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Peter Lemenkov plemenko@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|ERRATA |--- Keywords| |Reopened
--- Comment #3 from Peter Lemenkov plemenko@redhat.com --- Reopening - unfortunately it still not fixed for EPEL7.
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Bug 1185514 depends on bug 1185517, which changed state.
Bug 1185517 Summary: rabbitmq-server: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185517
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=defer,openstack |itmq-server=affected,openst |-6/rabbitmq-server=defer |ack-6/rabbitmq-server=affec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted |ted,openstack-7/rabbitmq-se | |rver=affected,openstack-8/r | |abbitmq-server=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1304946 Depends On| |1304947 Depends On| |1304948 Depends On| |1304949 Depends On| |1304950
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |slong@redhat.com
--- Doc Text *updated* --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped).
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(gmollett@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gmollett@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #8 from Garth Mollett gmollett@redhat.com --- Acknowledgments:
Name: (none)
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenStack 6 for RHEL 7
Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted,openstack-7/rabbitmq-se |ted,openstack-7/rabbitmq-se |rver=affected,openstack-8/r |rver=affected,openstack-8/r |abbitmq-server=affected |abbitmq-server=affected,cwe | |=CWE-79[auto]
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Doc Text *updated* by Martin Prpic mprpic@redhat.com --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using the 'api/' path info to inject and receive data. A remote attacker could use this flaw to create an 'api/' URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL that was not escaped.
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Doc Text *updated* by Martin Prpic mprpic@redhat.com --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped).
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7
Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6
Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed|2015-10-23 17:17:49 |2016-03-08 18:39:57
erlang@lists.fedoraproject.org
-
Red Hat Bugzilla