1658394 – (CVE-2018-16879) CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection

Bug 1658394 (CVE-2018-16879) - CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection

Summary: CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-16879
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1658395
Blocks:	1658219
TreeView+	depends on / blocked

Reported:	2018-12-11 23:44 UTC by Borja Tarraso
Modified:	2021-02-16 22:39 UTC (History)
CC List:	18 users (show)
Fixed In Version:	ansible-tower 3.3.3
Doc Type:	If docs needed, set a value
Doc Text:	Tower does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.
Clone Of:
Environment:
Last Closed:	2020-04-21 10:31:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Borja Tarraso 2018-12-11 23:44:52 UTC

Arbitrary messages can be sent to celery workers regardless of ownership.

Tower does not set a secure channel, as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. The actual configuration setting that controls the channel securely is BROKER_URL, but Tower sets wrongly as CHANNEL_BROKER_URL, which does nothing.

This could lead in data leak of sensitive information such as passwords as well as DoS attacks by deleting projects or inventory files.

Comment 8 Richard Maciel Costa 2019-02-11 22:35:44 UTC

Statement:

Red Hat CloudForms versions 4.5 and 4.6 ship an ansible-tower which correctly sets the security channel by default. Red Hat CloudForms version 4.7 ships ansible-tower 3.3.3 which already contains the fix.

Comment 9 Product Security DevOps Team 2020-04-21 10:31:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16879

Note You need to log in before you can comment on or make changes to this bug.