[Bug 1448337] New: CVE-2017-4966 rabbitmq: Authentication details are stored in browser-local storage without expiration
3:53 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Bug ID: 1448337
Summary: CVE-2017-4966 rabbitmq: Authentication details are
stored in browser-local storage without expiration
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: aortega(a)redhat.com, apevec(a)redhat.com,
ayoung(a)redhat.com, chrisw(a)redhat.com,
cvsbot-xmlrpc(a)redhat.com,
erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
jjoyce(a)redhat.com, josh(a)fornwall.com,
jschluet(a)redhat.com, kbasil(a)redhat.com,
lemenkov(a)gmail.com, lhh(a)redhat.com, lpeer(a)redhat.com,
markmc(a)redhat.com, plemenko(a)redhat.com,
rbryant(a)redhat.com, rjones(a)redhat.com,
sclewis(a)redhat.com, sisharma(a)redhat.com,
srevivo(a)redhat.com, s(a)shk.io, tdecacqu(a)redhat.com
It was found that the rabbitmq authentication details are being stored
indefinitely in the local browser cache.
External References:
https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9
--
You are receiving this mail because:
You are on the CC list for the bug.
3:54 a.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec <anemec(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Fixed In Version| |rabbitmq-server 3.6.9
--
You are receiving this mail because:
You are on the CC list for the bug.
3:56 a.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec <anemec(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1448338, 1448339
--- Comment #1 from Andrej Nemec <anemec(a)redhat.com> ---
Created rabbitmq-server tracking bugs for this issue:
Affects: epel-all [bug 1448338]
Affects: fedora-24 [bug 1448339]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1448338
[Bug 1448338] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server:
various flaws [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1448339
[Bug 1448339] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server:
various flaws [fedora-24]
--
You are receiving this mail because:
You are on the CC list for the bug.
8:12 a.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Andrej Nemec <anemec(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1448341
--
You are receiving this mail because:
You are on the CC list for the bug.
10:30 p.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Summer Long <slong(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017
|0329,reported=20170422,sour |0329,reported=20170422,sour
|ce=gentoo,cvss3=5.5/CVSS:3. |ce=gentoo,cvss3=5.5/CVSS:3.
|0/AV:L/AC:L/PR:L/UI:N/S:U/C |0/AV:L/AC:L/PR:L/UI:N/S:U/C
|:H/I:N/A:N,cwe=CWE-522,fedo |:H/I:N/A:N,cwe=CWE-522,fedo
|ra-24/rabbitmq-server=affec |ra-24/rabbitmq-server=affec
|ted,fedora-25/rabbitmq-serv |ted,fedora-25/rabbitmq-serv
|er=notaffected,epel-all/rab |er=notaffected,epel-all/rab
|bitmq-server=affected,rhsco |bitmq-server=affected,rhsco
|n-2/rabbitmq-server=new,ope |n-2/rabbitmq-server=new,ope
|nstack-5/rabbitmq-server=ne |nstack-5/rabbitmq-server=wo
|w,openstack-6/rabbitmq-serv |ntfix,openstack-6/rabbitmq-
|er=new,openstack-7/rabbitmq |server=wontfix,openstack-7/
|-server=new,openstack-8/rab |rabbitmq-server=wontfix,ope
|bitmq-server=new,openstack- |nstack-8/rabbitmq-server=wo
|9/rabbitmq-server=new,opens |ntfix,openstack-9/rabbitmq-
|tack-10/rabbitmq-server=new |server=wontfix,openstack-10
|,openstack-11/rabbitmq-serv |/rabbitmq-server=wontfix,op
|er=new |enstack-11/rabbitmq-server=
| |wontfix
--
You are receiving this mail because:
You are on the CC list for the bug.
11:22 p.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Siddharth Sharma <sisharma(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017
|0329,reported=20170422,sour |0329,reported=20170422,sour
|ce=gentoo,cvss3=5.5/CVSS:3. |ce=gentoo,cvss3=5.5/CVSS:3.
|0/AV:L/AC:L/PR:L/UI:N/S:U/C |0/AV:L/AC:L/PR:L/UI:N/S:U/C
|:H/I:N/A:N,cwe=CWE-522,fedo |:H/I:N/A:N,cwe=CWE-522,fedo
|ra-24/rabbitmq-server=affec |ra-24/rabbitmq-server=affec
|ted,fedora-25/rabbitmq-serv |ted,fedora-25/rabbitmq-serv
|er=notaffected,epel-all/rab |er=notaffected,epel-all/rab
|bitmq-server=affected,rhsco |bitmq-server=affected,rhsco
|n-2/rabbitmq-server=new,ope |n-2/rabbitmq-server=wontfix
|nstack-5/rabbitmq-server=wo |,openstack-5/rabbitmq-serve
|ntfix,openstack-6/rabbitmq- |r=wontfix,openstack-6/rabbi
|server=wontfix,openstack-7/ |tmq-server=wontfix,openstac
|rabbitmq-server=wontfix,ope |k-7/rabbitmq-server=wontfix
|nstack-8/rabbitmq-server=wo |,openstack-8/rabbitmq-serve
|ntfix,openstack-9/rabbitmq- |r=wontfix,openstack-9/rabbi
|server=wontfix,openstack-10 |tmq-server=wontfix,openstac
|/rabbitmq-server=wontfix,op |k-10/rabbitmq-server=wontfi
|enstack-11/rabbitmq-server= |x,openstack-11/rabbitmq-ser
|wontfix |ver=wontfix
--
You are receiving this mail because:
You are on the CC list for the bug.
9:54 p.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #4 from Siddharth Sharma <sisharma(a)redhat.com> ---
upstream fix:
https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d2938...
--
You are receiving this mail because:
You are on the CC list for the bug.
11:02 p.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #5 from Summer Long <slong(a)redhat.com> ---
Statement:
This issue affects rabbitmq-server plugins as shipped with:
* Red Hat Storage Console 2
* Red Hat Enterprise Linux OpenStack Platform 5,6,7
* Red Hat OpenStack Platform 8,9,10,11
Although RabbitMQ plugins are shipped in these products, no plugins are enabled
or used by default.
To verify your environment's plugin usage, run:
# rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this
issue as having a security impact of Moderate. For additional information,
refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
--
You are receiving this mail because:
You are on the CC list for the bug.
2:37 a.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
--- Comment #6 from Adam Mariš <amaris(a)redhat.com> ---
Statement:
This issue affects rabbitmq-server plugins as shipped with:
* Red Hat Storage Console 2
* Red Hat Enterprise Linux OpenStack Platform 5,6,7
* Red Hat OpenStack Platform 8,9,10,11
Although RabbitMQ plugins are shipped in these products, no plugins are enabled
or used by default.
To verify your environment's plugin usage, run:
# rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this
issue as having Moderate security impact. For additional information, refer to
the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
--
You are receiving this mail because:
You are on the CC list for the bug.
7:55 p.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Summer Long <slong(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
CC| |slong(a)redhat.com
Resolution|--- |WONTFIX
Last Closed| |2017-07-02 20:55:20
--
You are receiving this mail because:
You are on the CC list for the bug.
3:42 a.m.
New subject: [Bug 1448337] CVE-2017-4966 rabbitmq:
Authentication details are stored in browser-local storage without
expiration
https://bugzilla.redhat.com/show_bug.cgi?id=1448337
Bug 1448337 depends on bug 1448339, which changed state.
Bug 1448339 Summary: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various
flaws [fedora-24]
https://bugzilla.redhat.com/show_bug.cgi?id=1448339
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
2031
days inactive
2546
days old
erlang@lists.fedoraproject.org
10 comments
1 participants
participants (1)
-
bugzilla@redhat.com