Bug 1448335 (CVE-2017-4965)

Summary: CVE-2017-4965 rabbitmq: XSS vulnerability in management UI
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, erlang, hubert.plociniczak, jeckersb, jjoyce, josh, jschluet, kbasil, lemenkov, lhh, lpeer, markmc, plemenko, rbryant, rjones, sclewis, sisharma, slong, srevivo, s, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rabbitmq-server 3.6.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-03 00:55:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1448338, 1448339    
Bug Blocks: 1448341    

Description Andrej Nemec 2017-05-05 08:50:21 UTC
A cross site scripting vulnerability was found in the management UI of RabbitMQ.

External References:

https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9

Comment 1 Andrej Nemec 2017-05-05 08:55:23 UTC
Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1448338]
Affects: fedora-24 [bug 1448339]

Comment 4 Adam Mariš 2017-05-30 07:37:58 UTC
Statement:

This issue affects rabbitmq-server plugins as shipped with:
* Red Hat Storage Console 2
* Red Hat Enterprise Linux OpenStack Platform 5,6,7
* Red Hat OpenStack Platform 8,9,10,11
Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. 
To verify your environment's plugin usage, run: 
# rabbitmq-plugins list

A future update may address this issue. Red Hat Product Security has rated this issue as having Moderate security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.