Bug 916208 (CVE-2014-9568) - VUL-1: CVE-2014-9568: rabbitmq-server: puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value inthe facts of a node
Summary: VUL-1: CVE-2014-9568: rabbitmq-server: puppetlabs-rabbitmq 3.0 through 4.1 st...
Status: RESOLVED INVALID
Alias: CVE-2014-9568
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Ralf Haferkamp
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/113477/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-04 12:01 UTC by Johannes Segitz
Modified: 2015-04-29 09:50 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-04 12:01:21 UTC 
CVE-2014-9568

puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in
the facts of a node, which allows local users to obtain sensitive information as
demonstrated by using Facter.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9568
http://puppetlabs.com/security/cve/cve-2014-9568
Comment 1 Swamp Workflow Management 2015-02-04 23:00:16 UTC 
bugbot adjusting priority
Comment 2 Johannes Segitz 2015-04-10 07:30:18 UTC 
ping. Can you please submit?
Comment 3 Ralf Haferkamp 2015-04-29 09:03:53 UTC 
Hm, I don't see how we're affected by this. (Neither why this is assigned to me)

AFAICS we don't ship puppetlabs-rabbitmq (which seems to be a puppetmodule to configure rabbitmq) on any of our products. Can you clarify what you expect me to do here?
Comment 4 Johannes Segitz 2015-04-29 09:40:14 UTC 
(In reply to Ralf Haferkamp from comment #3)
SLES is not affected, but openSUSE is. You're listed as maintainer of 
network:messaging:amqp/rabbitmq-server
that's why I asked you. Can you please provide a submit for openSUSE?
Comment 5 Andreas Stieger 2015-04-29 09:50:37 UTC 
The upstream commit is in puppetlabs-rabbitmq, a puppet module for managing RabbitMQ:
https://github.com/puppetlabs/puppetlabs-rabbitmq/commit/fd13a5a4fe0b8c2b9e2d243e62255e22cec84e28
Cannot find the affected code in rabbitmq-server.

puppetlabs-rabbitmq is a separate project from rabbitmq-server. We do not ship uppetlabs-rabbitmq. Closing.