[Bug 1448337] New: CVE-2017-4966 rabbitmq: Authentication details are stored in browser-local storage without expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Bug ID: 1448337 Summary: CVE-2017-4966 rabbitmq: Authentication details are stored in browser-local storage without expiration Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, chrisw@redhat.com, cvsbot-xmlrpc@redhat.com, erlang@lists.fedoraproject.org, hubert.plociniczak@gmail.com, jeckersb@redhat.com, jjoyce@redhat.com, josh@fornwall.com, jschluet@redhat.com, kbasil@redhat.com, lemenkov@gmail.com, lhh@redhat.com, lpeer@redhat.com, markmc@redhat.com, plemenko@redhat.com, rbryant@redhat.com, rjones@redhat.com, sclewis@redhat.com, sisharma@redhat.com, srevivo@redhat.com, s@shk.io, tdecacqu@redhat.com
It was found that the rabbitmq authentication details are being stored indefinitely in the local browser cache.
External References:
https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |rabbitmq-server 3.6.9
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1448338, 1448339
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created rabbitmq-server tracking bugs for this issue:
Affects: epel-all [bug 1448338] Affects: fedora-24 [bug 1448339]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1448338 [Bug 1448338] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1448339 [Bug 1448339] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [fedora-24]
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1448341
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0329,reported=20170422,sour |0329,reported=20170422,sour |ce=gentoo,cvss3=5.5/CVSS:3. |ce=gentoo,cvss3=5.5/CVSS:3. |0/AV:L/AC:L/PR:L/UI:N/S:U/C |0/AV:L/AC:L/PR:L/UI:N/S:U/C |:H/I:N/A:N,cwe=CWE-522,fedo |:H/I:N/A:N,cwe=CWE-522,fedo |ra-24/rabbitmq-server=affec |ra-24/rabbitmq-server=affec |ted,fedora-25/rabbitmq-serv |ted,fedora-25/rabbitmq-serv |er=notaffected,epel-all/rab |er=notaffected,epel-all/rab |bitmq-server=affected,rhsco |bitmq-server=affected,rhsco |n-2/rabbitmq-server=new,ope |n-2/rabbitmq-server=new,ope |nstack-5/rabbitmq-server=ne |nstack-5/rabbitmq-server=wo |w,openstack-6/rabbitmq-serv |ntfix,openstack-6/rabbitmq- |er=new,openstack-7/rabbitmq |server=wontfix,openstack-7/ |-server=new,openstack-8/rab |rabbitmq-server=wontfix,ope |bitmq-server=new,openstack- |nstack-8/rabbitmq-server=wo |9/rabbitmq-server=new,opens |ntfix,openstack-9/rabbitmq- |tack-10/rabbitmq-server=new |server=wontfix,openstack-10 |,openstack-11/rabbitmq-serv |/rabbitmq-server=wontfix,op |er=new |enstack-11/rabbitmq-server= | |wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0329,reported=20170422,sour |0329,reported=20170422,sour |ce=gentoo,cvss3=5.5/CVSS:3. |ce=gentoo,cvss3=5.5/CVSS:3. |0/AV:L/AC:L/PR:L/UI:N/S:U/C |0/AV:L/AC:L/PR:L/UI:N/S:U/C |:H/I:N/A:N,cwe=CWE-522,fedo |:H/I:N/A:N,cwe=CWE-522,fedo |ra-24/rabbitmq-server=affec |ra-24/rabbitmq-server=affec |ted,fedora-25/rabbitmq-serv |ted,fedora-25/rabbitmq-serv |er=notaffected,epel-all/rab |er=notaffected,epel-all/rab |bitmq-server=affected,rhsco |bitmq-server=affected,rhsco |n-2/rabbitmq-server=new,ope |n-2/rabbitmq-server=wontfix |nstack-5/rabbitmq-server=wo |,openstack-5/rabbitmq-serve |ntfix,openstack-6/rabbitmq- |r=wontfix,openstack-6/rabbi |server=wontfix,openstack-7/ |tmq-server=wontfix,openstac |rabbitmq-server=wontfix,ope |k-7/rabbitmq-server=wontfix |nstack-8/rabbitmq-server=wo |,openstack-8/rabbitmq-serve |ntfix,openstack-9/rabbitmq- |r=wontfix,openstack-9/rabbi |server=wontfix,openstack-10 |tmq-server=wontfix,openstac |/rabbitmq-server=wontfix,op |k-10/rabbitmq-server=wontfi |enstack-11/rabbitmq-server= |x,openstack-11/rabbitmq-ser |wontfix |ver=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #4 from Siddharth Sharma sisharma@redhat.com --- upstream fix:
https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d2938993...
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #5 from Summer Long slong@redhat.com --- Statement:
This issue affects rabbitmq-server plugins as shipped with: * Red Hat Storage Console 2 * Red Hat Enterprise Linux OpenStack Platform 5,6,7 * Red Hat OpenStack Platform 8,9,10,11 Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. To verify your environment's plugin usage, run: # rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #6 from Adam Mariš amaris@redhat.com --- Statement:
This issue affects rabbitmq-server plugins as shipped with: * Red Hat Storage Console 2 * Red Hat Enterprise Linux OpenStack Platform 5,6,7 * Red Hat OpenStack Platform 8,9,10,11 Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. To verify your environment's plugin usage, run: # rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this issue as having Moderate security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |slong@redhat.com Resolution|--- |WONTFIX Last Closed| |2017-07-02 20:55:20
https://bugzilla.redhat.com/show_bug.cgi?id=1448337 Bug 1448337 depends on bug 1448339, which changed state.
Bug 1448339 Summary: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [fedora-24] https://bugzilla.redhat.com/show_bug.cgi?id=1448339
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
erlang@lists.fedoraproject.org
-
bugzilla@redhat.com