First Last Prev Next    This bug is not in your last search results.
Bug 1037777 - (CVE-2017-4967) VUL-1: CVE-2017-4965, CVE-2017-4967: rabbitmq-server: Two XSS vulnerabilitiesin management UI
(CVE-2017-4967)
VUL-1: CVE-2017-4965, CVE-2017-4967: rabbitmq-server: Two XSS vulnerabilities...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184826/
CVSSv2:SUSE:CVE-2017-4965:3.6:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-05 11:15 UTC by Johannes Segitz
Modified: 2020-08-04 07:47 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Guang Yee 2020-06-02 16:48:04 UTC 
We don't expose the rabbitmq UI endpoint to the public. It is only accessible from the controller internal network.
Comment 2 Keith Berger 2020-06-09 20:20:04 UTC 
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.


so > 3.6.9 is ok

SOC9: 3.6.16 https://build.suse.de/package/show/Devel:Cloud:9/rabbitmq-server

SOC8: 3.6.16 https://build.suse.de/package/show/Devel:Cloud:8/rabbitmq-server

SOC7: 3.4.4 https://build.suse.de/package/show/Devel:Cloud:7/rabbitmq-server

so the only place this exists is SOC7 so need to verify in SOC7 (crowbar) it is locked down
Comment 3 Keith Berger 2020-06-10 00:20:30 UTC 
on SOC7, the plugin is enabled by default but i did confirm it was locked down to an internal only manangement network and not any public networks.  The seems a pretty low risk.  If this is not acceptable, we could disable the plugin by default here

https://github.com/crowbar/crowbar-openstack/blob/master/chef/cookbooks/rabbitmq/recipes/default.rb


Security: please review and let us know is the risk is low enough or if we need to disable the plugin.
Comment 4 Keith Berger 2020-06-22 16:06:10 UTC 
Security please review and see if the explantion is acceptable to close this CVE
Comment 5 Wolfgang Frisch 2020-06-30 14:54:39 UTC 
Please disable the plugin by default, as discussed.
Comment 10 Keith Berger 2020-07-06 13:13:08 UTC 
Patch is merged to 

https://build.suse.de/package/show/Devel:Cloud:7/rabbitmq-server

Security, please review and close when appropriate.
Comment 11 Swamp Workflow Management 2020-07-29 19:12:51 UTC 
SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Alexandros Toptsoglou 2020-08-04 07:47:16 UTC 
Done
First Last Prev Next    This bug is not in your last search results.