Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2432
rabbitmq-server security update
20 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rabbitmq-server
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22116 CVE-2019-11287 CVE-2019-11281
CVE-2017-4967 CVE-2017-4966 CVE-2017-4965
Reference: ESB-2021.2233
ESB-2020.0135
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2710-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
July 19, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : rabbitmq-server
Version : 3.6.6-1+deb9u1
CVE ID : CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281
CVE-2019-11287 CVE-2021-22116
Several vulnerabilities were discovered in rabbitmq-server, a
message-broker software.
CVE-2017-4965
Several forms in the RabbitMQ management UI are vulnerable to XSS
attacks.
CVE-2017-4966
RabbitMQ management UI stores signed-in user credentials in a
browser's local storage without expiration, making it possible to
retrieve them using a chained attack
CVE-2017-4967
Several forms in the RabbitMQ management UI are vulnerable to XSS
attacks.
CVE-2019-11281
The virtual host limits page, and the federation management UI,
which do not properly sanitize user input. A remote authenticated
malicious user with administrative access could craft a cross site
scripting attack that would gain access to virtual hosts and
policy management information
CVE-2019-11287
The "X-Reason" HTTP Header can be leveraged to insert a malicious
Erlang format string that will expand and consume the heap,
resulting in the server crashing.
CVE-2021-22116
A malicious user can exploit the vulnerability by sending
malicious AMQP messages to the target RabbitMQ instance.
For Debian 9 stretch, these problems have been fixed in version
3.6.6-1+deb9u1.
We recommend that you upgrade your rabbitmq-server packages.
For the detailed security status of rabbitmq-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rabbitmq-server
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD1tJkACgkQhj1N8u2c
KO8lIg//f/LcL1AyTtnwyXh5MMCs7OfZ2U4oychwStzEnZ5D7LAoblb9g97Inw15
KYRQOD/CU/TxokDgMP8x5TzJNyq4/exJi5/Ergyx1TinBNP/6QJB5QeTYp94OZrL
l1nbI5xDDaNnyf1mnMJ04lk/sXAfMp19zeCIXy28SLSyVz0PivgOW+SARl5yEFpW
U6QGy4wzkiDAVdqo8JPxF7H4wTCZEJxgQcBMrIUSTGxsHW9CZh6IiOEyz7DziH3Y
YWYXFqZIkdJyQxWX6ukMysTLnb/fg6Fndt+cyXiHFvhjZH6IRu2LKXsVC6h3RJJh
8DTZgQS5Vy9g2wvuljiG5C8KQtijZ9vc1qMWELRnN7I1owcCRqUIUIxm9p/XfJLz
4p1ic9c8nMd55Gsi97SqEbSLKAR2Wkw2HePu8cmN48WCF2esB9xvyI2GSa7SHUov
FIX+DwNV4gnuzE+BnQGvhpTpL1Cwpwwtmhvp9lJmf5b2z00ltlGfzPG/4jy6KLK0
ce+5yaGWsUAVP0r0UU8jfFfNfp/VqbcD1ijB3Dr2VEEkKSipXuKuv61ceA42qTgl
X/cEOtZG8yW+jVU5ndFKnP/4AuQxqJWWPDeW2DzgeH4b6lzTjdZeh9g8Qu+kKju4
SkB0jkWEAm8Md3eYgrKB9cStN/uPZU7ni7Z/c0Xt1J/Jrv67GnM=
=rAJ1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYPYzNeNLKJtyKPYoAQieTA//dyasbSIavcGMnhTcwzUkKFotiGgf/Duw
svYzoJDuPpw1x8hVYLHWY+uhLw8Ar8ZzmlUPnivHe/VYn6q6YcIj5cJzBw9P59Hw
5eTrrTGvwZy4vVrPvWmQxZX1xgC/PYUsDO/I9y6qYhpWdH2Buz7AIh7nkX7qXYJ1
3mVlqBcbJR7y45jxvpQh6+jF0A+XmLxHWYgL6O76/zmHuHPVebRlCXokB7BPM9PM
HFQCSZmOS7/63MZPAd9Vt0jgotmAcn8UnivU1vA/+QF43Ql9QUqRVyP1+KL8oeup
/KgRFSHa8PtxR1fq0H0yqektJoYJj7+QZwmAYqaKQdTkRZHfC/cPYlmBlzt/GxW1
liaIbJXmapcw+WaUrKS0tOiRfodf1iLUJsvvuRwHWPOY9Pzvsg7UUV+Nqd3LceW+
R4dF8gRmXMXIe54NwHTZH/WUJ56PsgBLn0ekLOt1wAvvYsT+GqHhTifbci9QTk5Y
7pvtvFMdFWQfmh2bUsoxz+TCCAfYvQxgPUWhZu/ugfyMeEqBQSCZzTtdrHeHv6Vv
uJviJL+7oIK7DkKMKa7oZChwhsqDOpURfCT/9+en70w5Z/5azAdeHQQp6pCGUc3u
1+1043B/7ZRz8TU09PUq+BxPTK3aJ+dup897yShIcjNDSKfH9K8gFQk1x5H2gGsf
lsNYiKx9pC8=
=4ljW
-----END PGP SIGNATURE-----