Bug 1409748 – CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty password

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1409748 - (CVE-2016-9877) CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty password

Summary:	CVE-2016-9877 rabbitmq: MQTT connection authentication succeeds with empty pa...

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-9877

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161220,repor...
Keywords:	Security

Depends On:	1409749 1409750
Blocks:	1409752
	Show dependency tree / graph

Reported:	2017-01-03 03:52 EST by Martin Prpič
Modified:	2017-12-07 03:02 EST (History)
CC List:	26 users (show)

See Also:
Fixed In Version:	RabbitMQ 3.5.8, RabbitMQ 3.6.6
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-04-12 22:40:36 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Github	rabbitmq/rabbitmq-mqtt/pull/98	None	None	None	2017-12-07 03:02 EST

Groups: None (edit)

Description Martin Prpič 2017-01-03 03:52:59 EST

It was found that RabbitMQ's MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Comment 1 Martin Prpič 2017-01-03 03:53:21 EST

External References:

https://pivotal.io/security/cve-2016-9877

Comment 2 Martin Prpič 2017-01-03 03:54:09 EST

Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1409749]
Affects: fedora-all [bug 1409750]

Comment 3 Siddharth Sharma 2017-02-06 03:14:41 EST

Upstream Fix:

https://github.com/rabbitmq/rabbitmq-mqtt/issues/96, This seems to be upstream fix

https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be
https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7

Comment 7 Peter Lemenkov 2017-12-06 07:31:27 EST

Indeed we don't use MQTT in our OpenStack configuration, so it was decided that the impact of this issue is negligibly low.

It's possible to backport the fix to OSP10 though.

Note You need to log in before you can comment on or make changes to this bug.

aortega
apevec
ayoung
chrisw
cvsbot-xmlrpc
erlang
hubert.plociniczak
jeckersb
jjoyce
josh
jpadman
jschluet
kbasil
kiyyappa
lemenkov
lhh
lpeer
markmc
plemenko
rbryant
rjones
sclewis
sisharma
srevivo
s
tdecacqu