https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Bug ID: 1185515 Summary: RabbitMQ: /api/definitions rsponse splitting vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: kseifried@redhat.com CC: abaron@redhat.com, aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, chrisw@redhat.com, dallan@redhat.com, erlang@lists.fedoraproject.org, gkotton@redhat.com, hubert.plociniczak@gmail.com, jeckersb@redhat.com, josh@fornwall.com, lemenkov@gmail.com, lhh@redhat.com, lpeer@redhat.com, markmc@redhat.com, pmyers@redhat.com, rbryant@redhat.com, rjones@redhat.com, s@shk.io, sclewis@redhat.com, yeylon@redhat.com
26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0)
Bug 26433 allowed an attacker to specify a URL to /api/definitions which would cause an arbitrary additional header to be returned. This was fixed by stripping out CR/LF from the "download" query string parameter.
Upstream patches: http://hg.rabbitmq.com/rabbitmq-management/rev/dceba16cc105
References: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1185513
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1185516
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185516 [Bug 1185516] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1185517
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185517 [Bug 1185517] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #1 from Kurt Seifried kseifried@redhat.com ---
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1185516] Affects: epel-all [bug 1185517]
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|RabbitMQ: /api/definitions |RabbitMQ: /api/definitions |rsponse splitting |response splitting |vulnerability |vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-9650
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|RabbitMQ: /api/definitions |CVE-2014-9650 RabbitMQ: |response splitting |/api/definitions response |vulnerability |splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gmollett@redhat.com Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5-rhel |6/rabbitmq-server=new,opens |6/rabbitmq-server=affected, |tack-5-rhel7/rabbitmq-serve |openstack-5-rhel7/rabbitmq- |r=new,openstack-6/rabbitmq- |server=affected,openstack-6 |server=new |/rabbitmq-server=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5/rabb |6/rabbitmq-server=affected, |itmq-server=defer,openstack |openstack-5-rhel7/rabbitmq- |-6/rabbitmq-server=defer |server=affected,openstack-6 | |/rabbitmq-server=affected |
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Peter Lemenkov plemenko@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |plemenko@redhat.com Fixed In Version| |rabbitmq-server-3.5.1-1.fc2 | |2 Resolution|--- |ERRATA Last Closed| |2015-10-23 17:17:27
--- Comment #2 from Peter Lemenkov plemenko@redhat.com --- Both this and corresponding bug 1185514 were addressed in RabbitMQ 3.4.1. We already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+.
As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the upcoming F23.
https://bugzilla.redhat.com/show_bug.cgi?id=1185515 Bug 1185515 depends on bug 1185516, which changed state.
Bug 1185516 Summary: rabbitmq-server: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185516
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Peter Lemenkov plemenko@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|ERRATA |--- Keywords| |Reopened
--- Comment #3 from Peter Lemenkov plemenko@redhat.com --- Reopening - unfortunately it still not fixed for EPEL7.
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1185515 Bug 1185515 depends on bug 1185517, which changed state.
Bug 1185517 Summary: rabbitmq-server: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185517
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=defer,openstack |itmq-server=affected,openst |-6/rabbitmq-server=defer |ack-6/rabbitmq-server=affec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted |ted,openstack-7/rabbitmq-se | |rver=affected,openstack-8/r | |abbitmq-server=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1304946 Depends On| |1304947 Depends On| |1304948 Depends On| |1304949 Depends On| |1304950
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |slong@redhat.com Flags| |needinfo?(gmollett@redhat.c | |om)
--- Doc Text *updated* --- A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL could be specified, which then caused an arbitrary additional header to be returned. A remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain access to secure data.
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gmollett@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #8 from Garth Mollett gmollett@redhat.com --- Acknowledgments:
Name: (none)
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenStack 6 for RHEL 7
Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7
Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6
Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed|2015-10-23 17:17:27 |2016-03-08 18:41:01
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted,openstack-7/rabbitmq-se |ted,openstack-7/rabbitmq-se |rver=affected,openstack-8/r |rver=affected,openstack-8/r |abbitmq-server=affected |abbitmq-server=affected,cwe | |=CWE-113
erlang@lists.fedoraproject.org