CVE-2016-9877 RabbitMQ authentication vulnerability


Severity

Critical

Vendor

Pivotal

Versions Affected
  • Pivotal RabbitMQ:
    • 3.x versions prior to 3.5.8
    • 3.6.x versions prior to 3.6.6
  • RabbitMQ for PCF:
    • 1.5.x versions prior to 1.5.20
    • 1.6.x versions prior to 1.6.12
    • 1.7.x versions prior to 1.7.7
Description

MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Mitigation

Users of affected standalone RabbitMQ versions should apply the following mitigation:

  • Upgrade RabbitMQ 3.x versions to 3.5.8 or later
  • Upgrade RabbitMQ 3.6.x versions to 3.6.6 or later

Users of affected Pivotal Cloud Foundry versions should apply the following mitigation:

  • Upgrade RabbitMQ for PCF 1.5.x versions to 1.5.20 or later
  • Upgrade RabbitMQ for PCF 1.6.x versions to 1.6.12 or later
  • Upgrade RabbitMQ for PCF 1.7.x versions to 1.7.7 or later

Operators who cannot immediately upgrade should do the following:

  • Enable TLS with client-provided certificates for MQTT connections
  • Switch to unique (difficult to guess) usernames