Bug 1783318 (CVE-2019-11287)

Summary: CVE-2019-11287 rabbitmq-server: "X-Reason" HTTP Header can be leveraged to insert a malicious string leading to DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, dbecker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jeckersb, jfrey, jhardy, jjoyce, jlaska, jschluet, kbasil, kdixon, lemenkov, lhh, lpeer, mburns, obarenbo, plemenko, rjones, roliveri, sclewis, simaishi, slinaber, slong, smallamp, s
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rabbitmq-server 3.7.21, rabbitmq-server 3.8.1 Doc Type: If docs needed, set a value
Doc Text:
A resource-consumption flaw was identified in the rabbitmq-server web management plugin. Utilizing a malicious 'X-Reason' HTTP header, a remote attacker could insert a malicious Erlang format string which will expand and consume heap memory, resulting in a crash. The highest threat from this vulnerability is system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-13 14:09:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1783319, 1783324, 1784274, 1784275, 1784276    
Bug Blocks: 1783322    

Description Marian Rehak 2019-12-13 15:00:06 UTC 
There's a vulnerability in the web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Comment 1 Marian Rehak 2019-12-13 15:00:22 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: fedora-all [bug 1783319]
Comment 2 Marian Rehak 2019-12-13 15:01:34 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: openstack-rdo [bug 1783324]
Comment 8 Summer Long 2020-01-06 00:34:30 UTC 
External References:

https://pivotal.io/security/cve-2019-11287
Comment 11 Nick Tait 2020-01-08 23:56:58 UTC 
Mitigation:

This flaw can be mitigated by disabling the Web Management plugin: rabbitmq-plugins disable rabbitmq_management.
Comment 15 Summer Long 2020-01-09 04:27:09 UTC 
Statement:

Red Hat Ansible Tower and Red Hat CloudForms are not vulnerable as they do not expose the RabbitMQ management interface by default. 
In Red Hat OpenStack Platform 13, the management interface was not enabled by default. So, although the flaw code was packaged, its impact for this version has been lowered to Moderate.
Comment 16 errata-xmlrpc 2020-01-13 10:11:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:0078 https://access.redhat.com/errata/RHSA-2020:0078
Comment 17 Product Security DevOps Team 2020-01-13 14:09:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11287