Bug 1658394 (CVE-2018-16879) - CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection
Summary: CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection
Status: NEW
Alias: CVE-2018-16879
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181220,repor...
Keywords: Security
Depends On: 1658395
Blocks: 1658219
TreeView+ depends on / blocked
 
Reported: 2018-12-11 23:44 UTC by Borja Tarraso
Modified: 2019-02-11 22:35 UTC (History)
18 users (show)

Fixed In Version: ansible-tower 3.3.3
Doc Type: If docs needed, set a value
Doc Text:
Tower does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Borja Tarraso 2018-12-11 23:44:52 UTC
Arbitrary messages can be sent to celery workers regardless of ownership.

Tower does not set a secure channel, as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. The actual configuration setting that controls the channel securely is BROKER_URL, but Tower sets wrongly as CHANNEL_BROKER_URL, which does nothing.

This could lead in data leak of sensitive information such as passwords as well as DoS attacks by deleting projects or inventory files.

Comment 8 Richard Maciel Costa 2019-02-11 22:35:44 UTC
Statement:

Red Hat CloudForms versions 4.5 and 4.6 ship an ansible-tower which correctly sets the security channel by default. Red Hat CloudForms version 4.7 ships ansible-tower 3.3.3 which already contains the fix.


Note You need to log in before you can comment on or make changes to this bug.