In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that the attacker must know valid user credentials in order to connect to the broker. Upstream patches: http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d References: https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM http://www.rabbitmq.com/release-notes/README-3.4.0.txt
Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1174874] Affects: epel-all [bug 1174875] Affects: epel-all [bug 1174876]
rabbitmq-server-3.3.5-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.