Bug 1448337 (CVE-2017-4966)

Summary: CVE-2017-4966 rabbitmq: Authentication details are stored in browser-local storage without expiration
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, eglynn, erlang, hubert.plociniczak, jeckersb, jjoyce, josh, jschluet, kbasil, lemenkov, lhh, lpeer, lsvaty, markmc, mburns, mgarciac, pgrist, plemenko, rbryant, rjones, sclewis, sisharma, slong, srevivo, s, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rabbitmq-server 3.6.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-03 00:55:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1448338, 1448339    
Bug Blocks: 1448341    

Description Andrej Nemec 2017-05-05 08:53:58 UTC 
It was found that the rabbitmq authentication details are being stored indefinitely in the local browser cache.

External References:

https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9
Comment 1 Andrej Nemec 2017-05-05 08:56:14 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1448338]
Affects: fedora-24 [bug 1448339]
Comment 4 Siddharth Sharma 2017-05-29 02:54:42 UTC 
upstream fix:

https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d293899384f078872ff9e9f3e10
Comment 6 Adam Mariš 2017-05-30 07:37:14 UTC 
Statement:

This issue affects rabbitmq-server plugins as shipped with:
* Red Hat Storage Console 2
* Red Hat Enterprise Linux OpenStack Platform 5,6,7
* Red Hat OpenStack Platform 8,9,10,11
Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. 
To verify your environment's plugin usage, run: 
# rabbitmq-plugins list

A future update may address this issue. Red Hat Product Security has rated this issue as having Moderate security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.