Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2432 rabbitmq-server security update 20 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rabbitmq-server Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-22116 CVE-2019-11287 CVE-2019-11281 CVE-2017-4967 CVE-2017-4966 CVE-2017-4965 Reference: ESB-2021.2233 ESB-2020.0135 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2710-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA July 19, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : rabbitmq-server Version : 3.6.6-1+deb9u1 CVE ID : CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116 Several vulnerabilities were discovered in rabbitmq-server, a message-broker software. CVE-2017-4965 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2017-4966 RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack CVE-2017-4967 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2019-11281 The virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information CVE-2019-11287 The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. CVE-2021-22116 A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance. For Debian 9 stretch, these problems have been fixed in version 3.6.6-1+deb9u1. We recommend that you upgrade your rabbitmq-server packages. For the detailed security status of rabbitmq-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rabbitmq-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD1tJkACgkQhj1N8u2c KO8lIg//f/LcL1AyTtnwyXh5MMCs7OfZ2U4oychwStzEnZ5D7LAoblb9g97Inw15 KYRQOD/CU/TxokDgMP8x5TzJNyq4/exJi5/Ergyx1TinBNP/6QJB5QeTYp94OZrL l1nbI5xDDaNnyf1mnMJ04lk/sXAfMp19zeCIXy28SLSyVz0PivgOW+SARl5yEFpW U6QGy4wzkiDAVdqo8JPxF7H4wTCZEJxgQcBMrIUSTGxsHW9CZh6IiOEyz7DziH3Y YWYXFqZIkdJyQxWX6ukMysTLnb/fg6Fndt+cyXiHFvhjZH6IRu2LKXsVC6h3RJJh 8DTZgQS5Vy9g2wvuljiG5C8KQtijZ9vc1qMWELRnN7I1owcCRqUIUIxm9p/XfJLz 4p1ic9c8nMd55Gsi97SqEbSLKAR2Wkw2HePu8cmN48WCF2esB9xvyI2GSa7SHUov FIX+DwNV4gnuzE+BnQGvhpTpL1Cwpwwtmhvp9lJmf5b2z00ltlGfzPG/4jy6KLK0 ce+5yaGWsUAVP0r0UU8jfFfNfp/VqbcD1ijB3Dr2VEEkKSipXuKuv61ceA42qTgl X/cEOtZG8yW+jVU5ndFKnP/4AuQxqJWWPDeW2DzgeH4b6lzTjdZeh9g8Qu+kKju4 SkB0jkWEAm8Md3eYgrKB9cStN/uPZU7ni7Z/c0Xt1J/Jrv67GnM= =rAJ1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYPYzNeNLKJtyKPYoAQieTA//dyasbSIavcGMnhTcwzUkKFotiGgf/Duw svYzoJDuPpw1x8hVYLHWY+uhLw8Ar8ZzmlUPnivHe/VYn6q6YcIj5cJzBw9P59Hw 5eTrrTGvwZy4vVrPvWmQxZX1xgC/PYUsDO/I9y6qYhpWdH2Buz7AIh7nkX7qXYJ1 3mVlqBcbJR7y45jxvpQh6+jF0A+XmLxHWYgL6O76/zmHuHPVebRlCXokB7BPM9PM HFQCSZmOS7/63MZPAd9Vt0jgotmAcn8UnivU1vA/+QF43Ql9QUqRVyP1+KL8oeup /KgRFSHa8PtxR1fq0H0yqektJoYJj7+QZwmAYqaKQdTkRZHfC/cPYlmBlzt/GxW1 liaIbJXmapcw+WaUrKS0tOiRfodf1iLUJsvvuRwHWPOY9Pzvsg7UUV+Nqd3LceW+ R4dF8gRmXMXIe54NwHTZH/WUJ56PsgBLn0ekLOt1wAvvYsT+GqHhTifbci9QTk5Y 7pvtvFMdFWQfmh2bUsoxz+TCCAfYvQxgPUWhZu/ugfyMeEqBQSCZzTtdrHeHv6Vv uJviJL+7oIK7DkKMKa7oZChwhsqDOpURfCT/9+en70w5Z/5azAdeHQQp6pCGUc3u 1+1043B/7ZRz8TU09PUq+BxPTK3aJ+dup897yShIcjNDSKfH9K8gFQk1x5H2gGsf lsNYiKx9pC8= =4ljW -----END PGP SIGNATURE-----