CVE-2022-31008 - OpenCVE

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vmware	Rabbitmq

Configuration 1 [-]

OR	cpe:2.3:a:vmware:rabbitmq::::::::
	cpe:2.3:a:vmware:rabbitmq::::::::
	cpe:2.3:a:vmware:rabbitmq::::::::

No data.

References

Link	Providers
https://github.com/rabbitmq/rabbitmq-server/pull/4841
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8
https://nvd.nist.gov/vuln/detail/CVE-2022-31008
https://www.cve.org/CVERecord?id=CVE-2022-31008

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-06T00:00:00

Updated: 2024-08-03T07:03:40.269Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31008

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-06T18:16:00.783

Modified: 2023-07-21T17:09:18.657

Link: CVE-2022-31008

Redhat

Severity : Moderate

Publid Date: 2022-10-05T00:00:00Z

Links: CVE-2022-31008 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31008", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T07:03:40.269Z", "dateReserved": "2022-05-18T00:00:00", "datePublished": "2022-10-06T00:00:00"}, "containers": {"cna": {"title": "Predictable credential obfuscation seed value used in rabbitmq-server", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins."}], "affected": [{"vendor": "rabbitmq", "product": "rabbitmq-server", "versions": [{"version": "< 3.8.32", "status": "affected"}, {"version": ">= 3.9.0, < 3.9.18", "status": "affected"}, {"version": ">= 3.10.0, < 3.10.2", "status": "affected"}]}], "references": [{"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"}, {"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-330: Use of Insufficiently Random Values", "cweId": "CWE-330"}]}], "source": {"advisory": "GHSA-v9gv-xp36-jgj8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.269Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8", "tags": ["x_transferred"]}, {"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7ACC5FD-236D-4454-B306-C5C8F70FB5B7", "versionEndExcluding": "3.8.32", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6E32B0B-C0C0-4D8F-9EA0-A611F9542942", "versionEndExcluding": "3.9.18", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "99B5A575-A35B-4844-A3A6-647A0DAFC7AF", "versionEndExcluding": "3.10.2", "versionStartIncluding": "3.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins."}, {"lang": "es", "value": "RabbitMQ es un broker de mensajer\u00eda y streaming multiprotocolo. En versiones afectadas los plugins shovel y federation llevan a cabo una ofuscaci\u00f3n de URI en su estado de trabajador (enlace). La clave de cifrado usada para cifrar el URI fue sembrada con un secreto predecible. Esto significa que en caso de determinadas excepciones relacionadas con los plugins Shovel y Federation, podr\u00edan aparecer datos razonablemente f\u00e1ciles de des ofuscar en el registro del nodo. Las versiones parcheadas usan correctamente un secreto para todo el cl\u00faster a tal efecto. Este problema se ha solucionado y las versiones parcheadas: \"3.10.2\", \"3.9.18\", \"3.8.32\" est\u00e1n disponibles. Los usuarios que no puedan actualizar deber\u00e1n deshabilitar los plugins Shovel y Federation"}], "id": "CVE-2022-31008", "lastModified": "2023-07-21T17:09:18.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-06T18:16:00.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-335"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "rabbitmq-server: URI encryption with predictable secret seed", "id": "2141397", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141397"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-337", "details": ["RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.", "A flaw was found in RabbitMQ. The shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. In certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log."], "name": "CVE-2022-31008", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 17.0"}], "public_date": "2022-10-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31008\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31008\nhttps://github.com/rabbitmq/rabbitmq-server/pull/4841\nhttps://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"], "threat_severity": "Moderate", "upstream_fix": "rabbitmq-server 3.10.2, rabbitmq-server 3.9.18, rabbitmq-server 3.8.32"}