911857 – (CVE-2014-9494) VUL-0: CVE-2014-9494: rabbitmq-server: insufficient 'X-Forwarded-For' header validation

Bug 911857 (CVE-2014-9494) - VUL-0: CVE-2014-9494: rabbitmq-server: insufficient 'X-Forwarded-For' header validation

Summary: VUL-0: CVE-2014-9494: rabbitmq-server: insufficient 'X-Forwarded-For' header ...

Status:	RESOLVED FIXED

Alias:	CVE-2014-9494

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Bernhard Wiedemann
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/112054/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-01-06 14:08 UTC by Victor Pereira
Modified:	2015-04-08 14:00 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-01-06 14:08:31 UTC

CVE-2014-9494

In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that the attacker must know valid user credentials in order to connect to the broker.

Upstream patches:

http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1174872

Comment 1 Swamp Workflow Management 2015-01-06 23:01:12 UTC

bugbot adjusting priority

Comment 2 Vincent Untz 2015-01-19 10:32:39 UTC

Cloud < 5 are not impacted.

Cloud 5 is impacted, though.

Comment 3 Dirk Mueller 2015-01-21 16:23:22 UTC

should we really only fix this CVE instead of higher-rated CVEs released alongside ? There are over 20 CVEs in the rabbitmq releases since 2.8.7

Comment 4 Victor Pereira 2015-01-22 12:14:43 UTC

which are the differences between Devel:Cloud:5 and Devel:StudioOnline? Looks like at the first option, we have rabbitmq-server, version 3.4.3..

Comment 5 Vincent Untz 2015-01-22 12:38:25 UTC

(In reply to Victor Pereira from comment #4)
> which are the differences between Devel:Cloud:5 and Devel:StudioOnline?
> Looks like at the first option, we have rabbitmq-server, version 3.4.3..

I know nothing about Devel:StudioOnline. AFAIK, the cloud team always had a version of this package not shared with any other product (since no other product really shipped that -- Studio Online being "different" because it's online)

Comment 6 Vincent Untz 2015-01-22 12:38:53 UTC

Btw, we just updated to 3.4.3 in Devel:Cloud:5; it will not be in our next milestone, but likely in the final product.

Comment 7 Johannes Segitz 2015-04-08 14:00:59 UTC

Fixed in Cloud 5