All Vulnerability Reports

CVE-2018-1279: RabbitMQ cluster compromise due to deterministically generated cookie


Severity

High

Vendor

Pivotal

Description

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • All versions of RabbitMQ for PCF are affected if:
    • The cluster is multi-tenant
    • The erlang cookie was not manually configured
    • Connections from untrusted sources on ports 4369 and 25672 are allowed
Mitigation

Users of affected versions should apply the following mitigation:

History

2018-12-05: Initial vulnerability report published