Bug 1119372 - (CVE-2018-1279) VUL-0: CVE-2018-1279: rabbitmq-server: Problem with deterministically generated cookie that is shared between all machines
VUL-0: CVE-2018-1279: rabbitmq-server: Problem with deterministically generat...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Jan Blunck
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-12-13 10:13 UTC by Alexander Bergmann
Modified: 2019-01-10 13:55 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-12-13 10:13:09 UTC

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated
cookie that is shared between all machines when configured in a multi-tenant
cluster. A remote attacker who can gain information about the network topology
can guess this cookie and, if they have access to the right ports on any server
in the MQ cluster can use this cookie to gain full control over the entire

Comment 6 Itxaka serrano 2019-01-10 09:38:03 UTC
This does not affect crowbar 7/8/9 as we generate our own cookie when we have a clustered setup:

Crowbar 7: https://github.com/crowbar/crowbar-openstack/blob/stable/4.0/crowbar_framework/app/models/rabbitmq_service.rb#L133

Crowbar 8: https://github.com/crowbar/crowbar-openstack/blob/stable/5.0-pike/crowbar_framework/app/models/rabbitmq_service.rb#L133

Crowbar 9/development branch: https://github.com/crowbar/crowbar-openstack/blob/master/crowbar_framework/app/models/rabbitmq_service.rb#L133

On crowbar 6 there was no "real" clustering, we used active/passive with shared storage so its also not affected by this.

On the crowbar side, this issue was mitigated since day -1 :)
Comment 7 Alexander Bergmann 2019-01-10 13:55:06 UTC
Thanks Itxaka, I'm assigning this bug to our openSUSE maintainer.

I'm not sure if there will be only a mitigation and no direct fix for this issue.