{"containers": {"cna": {"affected": [{"product": "RabbitMq for PCF", "vendor": "Pivotal", "versions": [{"lessThan": "all versions*", "status": "affected", "version": "1", "versionType": "custom"}]}], "datePublic": "2018-12-05T00:00:00", "descriptions": [{"lang": "en", "value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Use of Insufficiently Random Values", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-10T18:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-1279"}], "source": {"discovery": "UNKNOWN"}, "title": "RabbitMQ cluster compromise due to deterministically generated cookie", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-12-05T00:00:00.000Z", "ID": "CVE-2018-1279", "STATE": "PUBLIC", "TITLE": "RabbitMQ cluster compromise due to deterministically generated cookie"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RabbitMq for PCF", "version": {"version_data": [{"affected": ">", "version_affected": ">", "version_name": "all versions", "version_value": "1"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Insufficiently Random Values"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2018-1279", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-1279"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:59:37.260Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2018-1279"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1279", "datePublished": "2018-12-10T19:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-17T00:37:15.917Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*", "matchCriteriaId": "8ECA11BE-4AD5-41B4-9828-037E3D36F94E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."}, {"lang": "es", "value": "Pivotal RabbitMQ para PCF, en todas las versiones, emplea una cookie generada de forma determin\u00edstica compartida entre todas las m\u00e1quinas cuando se configura en un cl\u00faster multiinquilino. Un atacante remoto que pueda obtener informaci\u00f3n sobre la topolog\u00eda de la red puede adivinar esta cookie y, si tienen acceso a los puertos correctos en cualquier servidor del cl\u00faster MQ, puede emplear esta cookie para obtener el control total del cl\u00faster completo."}], "id": "CVE-2018-1279", "lastModified": "2019-10-09T23:38:18.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2018-12-10T19:29:25.127", "references": [{"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1279"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rabbitmq-server: Deterministically generated cookie shared between all machines", "id": "1661092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1661092"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-330->CWE-290", "details": ["Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.", "RabbitMQ, versions up to and including 3.7.9, use an insecure method for generating authentication cookies when configuring clustered operations. It is possible to determine the cookie given adequate network topology information. Using the default cookie generated by RabbitMQ when forming a RabbitMQ cluster may lead to privileged access if the cookie is determined."], "name": "CVE-2018-1279", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-12-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1279\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1279\nhttps://pivotal.io/security/cve-2018-1279"], "statement": "OpenShift Online:\nRabbitMQ is only used by the Ansible Tower, which is not a standard part of the OpenShift product, however is deployed as a management tool.\nThis is set as deferred as it has no impact to customers and is not deployed in a clustered configuration. A cluster using an Erlang-generated cookie would be required for cookie guessing to provide and environmental leverage.\nOpenStack:\nFor RHOSP10+, the rabbit cookie is set to a random string during deployment, rather than relying on Erlang to generate the cookie, if the cookie has not been overridden in the deployment configuration. In either case, this avoids the predictable Erlang cookie generation highlighted by this flaw, meaning RHOSP10+ is not vulnerable. Further mitigating the flaw, is the fact that RabbitMQ, in an OpenStack context, is deployed to the admin network and as such should only be accessible to OpenStack services, not public users via an external network.\nFor RHOSP8+9, when deployed with Director (TripleO), the RabbitMQ salt is initialized via the Heat RandomString function, also bypassing this vulnerability. RHOSP8+9 however did not use Director as the default deployment mechanism. When installing RHOSP manually in these versions, our installation documentation does not provide guidance for configuring clustered RabbitMQ. It is safe to assume that some customers may have this configured in an insecure way, despite the fact that we would not have told them how to install and configure a cluster in a vulnerable way.\nAnsible Tower:\nIn Tower we do not use the programmatic cookie generation that gives rise to this vulnerability. Instead we use cookiemonster. So this issue does not affect Ansible Tower.\nCloudForms (CFME):\nRabbitMQ shipped with CloudForms is exclusively used by Ansible Tower. Since Ansible Tower is not vulnerable, due to the reasons described above, then CloudForms isn't, as well.", "threat_severity": "Important"}