Bugzilla – Bug 1119372
VUL-0: CVE-2018-1279: rabbitmq-server: Problem with deterministically generated cookie that is shared between all machines
Last modified: 2019-01-10 13:55:06 UTC
CVE-2018-1279 Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1279 https://pivotal.io/security/cve-2018-1279
This does not affect crowbar 7/8/9 as we generate our own cookie when we have a clustered setup: Crowbar 7: https://github.com/crowbar/crowbar-openstack/blob/stable/4.0/crowbar_framework/app/models/rabbitmq_service.rb#L133 Crowbar 8: https://github.com/crowbar/crowbar-openstack/blob/stable/5.0-pike/crowbar_framework/app/models/rabbitmq_service.rb#L133 Crowbar 9/development branch: https://github.com/crowbar/crowbar-openstack/blob/master/crowbar_framework/app/models/rabbitmq_service.rb#L133 On crowbar 6 there was no "real" clustering, we used active/passive with shared storage so its also not affected by this. On the crowbar side, this issue was mitigated since day -1 :)
Thanks Itxaka, I'm assigning this bug to our openSUSE maintainer. I'm not sure if there will be only a mitigation and no direct fix for this issue.