Bugzilla – Bug 1017642
VUL-1: CVE-2016-9877: rabbitmq-server: authentication vulnerability
Last modified: 2024-07-26 18:40:49 UTC
https://pivotal.io/security/cve-2016-9877 3.x versions prior to 3.5.8 3.6.x versions prior to 3.6.6 MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. Mitigation: Enable TLS with client-provided certificates for MQTT connections Switch to unique (difficult to guess) usernames Fixed in 3.5.8, 3.6.6. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9877 http://www.cvedetails.com/cve/CVE-2016-9877/ https://pivotal.io/security/cve-2016-9877
bugbot adjusting priority
Upstream bug and discussion https://github.com/rabbitmq/rabbitmq-mqtt/issues/96 > Connection succeeds when password is left blank for users with password set. > I've experienced this issue on versions 3.4.3 and 3.6.4. > > Using {allow_anonymous, false} doesn't change the outcome. Upstream PR: https://github.com/rabbitmq/rabbitmq-mqtt/pull/98 > The problem was that username and password fields had been checked separately > and anonymous and SSL auth modes could interfere with this credentials. > So a username without a password was treated like a SSL username and an > anonymous password can be added to a non-anonymous username. > > The new logic corresponds with the plugin documentation. If any credential > (username or password) is provided, default credentials and SSL auth are ignored. > If only one of the credentials is provided an error is reported. Merge commit: https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7
Assigning to openSUSE maintainer.
the provided patch does not apply for 13.2 (completely different code it seems). Are you sure that 13.2 is affected?
(In reply to Dirk Mueller from comment #7) > the provided patch does not apply for 13.2 (completely different code it > seems). Are you sure that 13.2 is affected? Yes. Here is the 3.5.6 backport with less tests: https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be Highlighting vulnerable code in the 3.3.5 tag (as we have in 13.2): Hunk #1: https://github.com/rabbitmq/rabbitmq-mqtt/blob/004b1941e06fbbbe4c959bd968e9f49309227e13/src/rabbit_mqtt_processor.erl#L78 Hunk #2: https://github.com/rabbitmq/rabbitmq-mqtt/blob/004b1941e06fbbbe4c959bd968e9f49309227e13/src/rabbit_mqtt_processor.erl#L373-L387 The TLS auth code is new between the 13.2 version and 3.5.x / 3.6.x
openSUSE-SU-2017:0306-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1017642 CVE References: CVE-2016-9877 Sources used: openSUSE Leap 42.2 (src): rabbitmq-server-3.5.8-3.2
how come we release 3.5.8 as maintenance update but Factory and it's devel project still has 3.5.4?
This is an autogenerated message for OBS integration: This bug (1017642) was mentioned in https://build.opensuse.org/request/show/455068 Factory / rabbitmq-server