Bug 1037777 (CVE-2017-4967)

Summary:	VUL-1: CVE-2017-4965, CVE-2017-4967: rabbitmq-server: Two XSS vulnerabilitiesin management UI
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Johannes Segitz <jsegitz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P4 - Low	CC:	atoptsoglou, Gyee, kberger, security-team, smash_bz, wolfgang.frisch
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/184826/
Whiteboard:	CVSSv2:SUSE:CVE-2017-4965:3.6:(AV:N/AC:H/Au:S/C:P/I:P/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Johannes Segitz 2017-05-05 11:15:47 UTC

https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9

This should be 35366827e439cbb625f56dcc256189b4b9f1b674 and 1a29bfcc4b501971a04d174ef5544039fe1549eb but I don't have enough information to say which corresponds to which CVE


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
https://bugzilla.redhat.com/show_bug.cgi?id=1448335
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4967
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4965

Comment 1 Guang Yee 2020-06-02 16:48:04 UTC

We don't expose the rabbitmq UI endpoint to the public. It is only accessible from the controller internal network.

Comment 2 Keith Berger 2020-06-09 20:20:04 UTC

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.


so > 3.6.9 is ok

SOC9: 3.6.16 https://build.suse.de/package/show/Devel:Cloud:9/rabbitmq-server

SOC8: 3.6.16 https://build.suse.de/package/show/Devel:Cloud:8/rabbitmq-server

SOC7: 3.4.4 https://build.suse.de/package/show/Devel:Cloud:7/rabbitmq-server

so the only place this exists is SOC7 so need to verify in SOC7 (crowbar) it is locked down

Comment 3 Keith Berger 2020-06-10 00:20:30 UTC

on SOC7, the plugin is enabled by default but i did confirm it was locked down to an internal only manangement network and not any public networks.  The seems a pretty low risk.  If this is not acceptable, we could disable the plugin by default here

https://github.com/crowbar/crowbar-openstack/blob/master/chef/cookbooks/rabbitmq/recipes/default.rb


Security: please review and let us know is the risk is low enough or if we need to disable the plugin.

Comment 4 Keith Berger 2020-06-22 16:06:10 UTC

Security please review and see if the explantion is acceptable to close this CVE

Comment 5 Wolfgang Frisch 2020-06-30 14:54:39 UTC

Please disable the plugin by default, as discussed.

Comment 6 Keith Berger 2020-07-01 13:58:26 UTC

ok the patches seems to apply so far

https://github.com/rabbitmq/rabbitmq-management/commit/1a29bfcc4b501971a04d174ef5544039fe1549eb

https://github.com/rabbitmq/rabbitmq-management/commit/35366827e439cbb625f56dcc256189b4b9f1b674

also we need 

https://github.com/rabbitmq/rabbitmq-management-agent/commit/02950a6b0adef4b875be996d50ee8f5247e7a5db
]
https://github.com/rabbitmq/rabbitmq-management-agent/commit/3a22a7fc09029fc457b2b8dda91d4efed32cf398

https://github.com/rabbitmq/rabbitmq-management/commit/a4ab8ff88f05d9fe82de241694cb3219156eb162

https://github.com/rabbitmq/rabbitmq-management-agent/commit/8d648065e8605974680d8b559cf3057e145dcb75

https://github.com/rabbitmq/rabbitmq-management-agent/commit/01ebe2d99028b0942dc65123f5dca7fd67b19801

https://github.com/rabbitmq/rabbitmq-management/pull/394/commits/48a9288dda6c8b7f0f4c85917cb2be32ef218c72

https://github.com/rabbitmq/rabbitmq-management-agent/pull/46/commits/cc27f5b62809345561b7766d969b76e8ceed1b21

https://github.com/rabbitmq/rabbitmq-management-agent/pull/37/commits/de0b3d7db7124a80c69bb3a05b538440ca974711

Comment 7 Keith Berger 2020-07-01 14:05:29 UTC

https://github.com/rabbitmq/rabbitmq-management/commit/48a9288dda6c8b7f0f4c85917cb2be32ef218c72

Comment 8 Keith Berger 2020-07-01 19:41:14 UTC

the agent stuff will not backport and these do not really effect the UI.

So 4 patches going in 

https://github.com/rabbitmq/rabbitmq-management/commit/1a29bfcc4b501971a04d174ef5544039fe1549eb

https://github.com/rabbitmq/rabbitmq-management/commit/35366827e439cbb625f56dcc256189b4b9f1b674

https://github.com/rabbitmq/rabbitmq-management/commit/a4ab8ff88f05d9fe82de241694cb3219156eb162

https://github.com/rabbitmq/rabbitmq-management/commit/48a9288dda6c8b7f0f4c85917cb2be32ef218c72



https://build.suse.de/request/show/221479

Comment 10 Keith Berger 2020-07-06 13:13:08 UTC

Patch is merged to 

https://build.suse.de/package/show/Devel:Cloud:7/rabbitmq-server

Security, please review and close when appropriate.

Comment 11 Swamp Workflow Management 2020-07-29 19:12:51 UTC

SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Alexandros Toptsoglou 2020-08-04 07:47:16 UTC

Done