Bug 1782624 (CVE-2019-19340)

Summary: CVE-2019-19340 Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jfrey, jhardy, jlaska, kdixon, obarenbo, roliveri, security-response-team, simaishi, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.6.2, ansible_tower 3.5.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower 3.6.1 and 3.5.3 where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-16 20:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782629, 1782630    
Bug Blocks: 1782617    

Description Borja Tarraso 2019-12-12 01:01:15 UTC 
Using '-e rabbitmq_enable_manager=true' in the installer exposes the RabbitMQ management interface publicly with a guessable admin user.
Comment 1 Borja Tarraso 2019-12-12 01:01:17 UTC 
Acknowledgments:

Name: Ryan Petrello (Red Hat)
Comment 6 errata-xmlrpc 2019-12-16 18:34:20 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.5 for RHEL 7

Via RHSA-2019:4242 https://access.redhat.com/errata/RHSA-2019:4242
Comment 7 errata-xmlrpc 2019-12-16 18:36:34 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2019:4243 https://access.redhat.com/errata/RHSA-2019:4243
Comment 8 Product Security DevOps Team 2019-12-16 20:09:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19340
Comment 10 Eric Christensen 2019-12-16 21:10:53 UTC 
Mitigation:

The issue could be mitigated by limiting the access of the interface to internal trusted networks, limiting the ports open and set the firewall with more restrictive rules. Some of these instructions are already suggested in the Ansible Tower documentation as part of the Ansible Tower Administration Guide. Issue could be also mitigated by deleting the guest default user by running the command "rabbitmqctl delete_user guest".