1409748 – (CVE-2016-9877) CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty password

Bug 1409748 (CVE-2016-9877) - CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty password

Summary: CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty pa...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-9877
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1409749 1409750
Blocks:	1409752
TreeView+	depends on / blocked

Reported:	2017-01-03 08:52 UTC by Martin Prpič
Modified:	2021-03-11 14:53 UTC (History)
CC List:	26 users (show)
Fixed In Version:	RabbitMQ 3.5.8, RabbitMQ 3.6.6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-13 02:40:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	rabbitmq rabbitmq-mqtt pull 98	0	None	None	None	2017-12-07 08:02:08 UTC

Description Martin Prpič 2017-01-03 08:52:59 UTC

It was found that RabbitMQ's MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Comment 1 Martin Prpič 2017-01-03 08:53:21 UTC

External References:

https://pivotal.io/security/cve-2016-9877

Comment 2 Martin Prpič 2017-01-03 08:54:09 UTC

Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1409749]
Affects: fedora-all [bug 1409750]

Comment 3 Siddharth Sharma 2017-02-06 08:14:41 UTC

Upstream Fix:

https://github.com/rabbitmq/rabbitmq-mqtt/issues/96, This seems to be upstream fix

https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be
https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7

Comment 7 Peter Lemenkov 2017-12-06 12:31:27 UTC

Indeed we don't use MQTT in our OpenStack configuration, so it was decided that the impact of this issue is negligibly low.

It's possible to backport the fix to OSP10 though.

Note You need to log in before you can comment on or make changes to this bug.

aortega
apevec
ayoung
chrisw
cvsbot-xmlrpc
erlang
hubert.plociniczak
jeckersb
jjoyce
josh
jpadman
jschluet
kbasil
kiyyappa
lemenkov
lhh
lpeer
markmc
plemenko
rbryant
rjones
sclewis
sisharma
srevivo
s
tdecacqu