Bug 1782623 (CVE-2019-19342)

Summary: CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jfrey, jhardy, jlaska, kdixon, obarenbo, roliveri, security-response-team, simaishi, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.6.2, ansible_tower 3.5.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower 3.6.1 and 3.5.3 when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-16 20:09:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782627, 1782628    
Bug Blocks: 1782616    

Description Borja Tarraso 2019-12-12 01:01:03 UTC
The usage of the '#' character in RabbitMQ passwords causes web socket with HTTP 500 error. That response code includes the HTTP status which would disclosure partially the password in plaintext.

Comment 5 Borja Tarraso 2019-12-12 14:22:15 UTC
Mitigation:

This issue could be mitigated by setting or changing the RabbitMQ passwords without using the specials characters. Complex passwords could still remain or even increase by using unpredictable longer strings. This adds much more entropy rather than just using special characters in shorter strings.

Comment 6 errata-xmlrpc 2019-12-16 18:34:20 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.5 for RHEL 7

Via RHSA-2019:4242 https://access.redhat.com/errata/RHSA-2019:4242

Comment 7 errata-xmlrpc 2019-12-16 18:36:34 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2019:4243 https://access.redhat.com/errata/RHSA-2019:4243

Comment 8 Product Security DevOps Team 2019-12-16 20:09:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19342