Bug 1119372 - (CVE-2018-1279) VUL-0: CVE-2018-1279: rabbitmq-server: Problem with deterministically generated cookie that is shared between all machines
(CVE-2018-1279)
VUL-0: CVE-2018-1279: rabbitmq-server: Problem with deterministically generat...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Jan Blunck
Security Team bot
https://smash.suse.de/issue/220556/
CVSSv3:RedHat:CVE-2018-1279:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-13 10:13 UTC by Alexander Bergmann
Modified: 2019-01-10 13:55 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-12-13 10:13:09 UTC
CVE-2018-1279

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated
cookie that is shared between all machines when configured in a multi-tenant
cluster. A remote attacker who can gain information about the network topology
can guess this cookie and, if they have access to the right ports on any server
in the MQ cluster can use this cookie to gain full control over the entire
cluster.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1279
https://pivotal.io/security/cve-2018-1279
Comment 6 Itxaka serrano 2019-01-10 09:38:03 UTC
This does not affect crowbar 7/8/9 as we generate our own cookie when we have a clustered setup:

Crowbar 7: https://github.com/crowbar/crowbar-openstack/blob/stable/4.0/crowbar_framework/app/models/rabbitmq_service.rb#L133

Crowbar 8: https://github.com/crowbar/crowbar-openstack/blob/stable/5.0-pike/crowbar_framework/app/models/rabbitmq_service.rb#L133

Crowbar 9/development branch: https://github.com/crowbar/crowbar-openstack/blob/master/crowbar_framework/app/models/rabbitmq_service.rb#L133


On crowbar 6 there was no "real" clustering, we used active/passive with shared storage so its also not affected by this.

On the crowbar side, this issue was mitigated since day -1 :)
Comment 7 Alexander Bergmann 2019-01-10 13:55:06 UTC
Thanks Itxaka, I'm assigning this bug to our openSUSE maintainer.

I'm not sure if there will be only a mitigation and no direct fix for this issue.