Arbitrary messages can be sent to celery workers regardless of ownership. Tower does not set a secure channel, as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. The actual configuration setting that controls the channel securely is BROKER_URL, but Tower sets wrongly as CHANNEL_BROKER_URL, which does nothing. This could lead in data leak of sensitive information such as passwords as well as DoS attacks by deleting projects or inventory files.
Statement: Red Hat CloudForms versions 4.5 and 4.6 ship an ansible-tower which correctly sets the security channel by default. Red Hat CloudForms version 4.7 ships ansible-tower 3.3.3 which already contains the fix.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16879