Bug 2141397 (CVE-2022-31008) - CVE-2022-31008 rabbitmq-server: URI encryption with predictable secret seed
Summary: CVE-2022-31008 rabbitmq-server: URI encryption with predictable secret seed
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2022-31008
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141412 2141413 2141414 2141415 2141416
Blocks: 2141108
TreeView+ depends on / blocked
 
Reported: 2022-11-09 17:45 UTC by Anten Skrabec
Modified: 2022-12-07 13:03 UTC (History)
9 users (show)

Fixed In Version: rabbitmq-server 3.10.2, rabbitmq-server 3.9.18, rabbitmq-server 3.8.32
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in RabbitMQ. The shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. In certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.
Clone Of:
Environment:
Last Closed: 2022-12-07 13:03:07 UTC
Embargoed:

Attachments (Terms of Use)

Description Anten Skrabec 2022-11-09 17:45:38 UTC 
RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.
Comment 1 Anten Skrabec 2022-11-09 18:43:09 UTC 
Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 2141412]
Affects: fedora-all [bug 2141413]
Comment 4 Product Security DevOps Team 2022-12-07 13:03:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31008
Note You need to log in before you can comment on or make changes to this bug.