Bug 1185515 (CVE-2014-9650)

Summary: CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, erlang, gkotton, gmollett, hubert.plociniczak, jeckersb, josh, jrusnack, jschluet, lemenkov, lhh, lpeer, markmc, plemenko, rbryant, rjones, sclewis, slong, s, tdecacqu, yeylon
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rabbitmq-server-3.5.1-1.fc22 Doc Type: Bug Fix
Doc Text:
A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL could be specified, which then caused an arbitrary additional header to be returned. A remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain access to secure data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-08 23:41:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1185516, 1185517, 1304946, 1304947, 1304948, 1304949, 1304950    
Bug Blocks: 1185513    

Description Kurt Seifried 2015-01-24 05:15:19 UTC 
26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0) 

Bug 26433 allowed an attacker to specify a URL to /api/definitions which 
would cause an arbitrary additional header to be returned. This was 
fixed by stripping out CR/LF from the "download" query string parameter.

Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/dceba16cc105

References:
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
Comment 1 Kurt Seifried 2015-01-24 05:16:42 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: fedora-all [bug 1185516]
Affects: epel-all [bug 1185517]
Comment 2 Peter Lemenkov 2015-10-23 21:17:27 UTC 
Both this and corresponding bug 1185514 were addressed in RabbitMQ 3.4.1. We already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+.

As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the upcoming F23.
Comment 3 Peter Lemenkov 2015-10-23 21:23:27 UTC 
Reopening - unfortunately it still not fixed for EPEL7.
Comment 4 Fedora Update System 2015-11-21 14:25:20 UTC 
rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 errata-xmlrpc 2016-02-29 05:10:40 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html
Comment 10 errata-xmlrpc 2016-03-08 22:54:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html
Comment 11 errata-xmlrpc 2016-03-08 22:55:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html
Comment 12 errata-xmlrpc 2016-03-08 22:56:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html