Bug 1782623 (CVE-2019-19342) - CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error
Summary: CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web soc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19342
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1782627 1782628
Blocks: 1782616
TreeView+ depends on / blocked
 
Reported: 2019-12-12 01:01 UTC by Borja Tarraso
Modified: 2021-02-16 20:52 UTC (History)
14 users (show)

Fixed In Version: ansible_tower 3.6.2, ansible_tower 3.5.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower 3.6.1 and 3.5.3 when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.
Clone Of:
Environment:
Last Closed: 2019-12-16 20:09:24 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4242 0 None None None 2019-12-16 18:34:22 UTC
Red Hat Product Errata RHSA-2019:4243 0 None None None 2019-12-16 18:36:36 UTC

Description Borja Tarraso 2019-12-12 01:01:03 UTC
The usage of the '#' character in RabbitMQ passwords causes web socket with HTTP 500 error. That response code includes the HTTP status which would disclosure partially the password in plaintext.

Comment 5 Borja Tarraso 2019-12-12 14:22:15 UTC
Mitigation:

This issue could be mitigated by setting or changing the RabbitMQ passwords without using the specials characters. Complex passwords could still remain or even increase by using unpredictable longer strings. This adds much more entropy rather than just using special characters in shorter strings.

Comment 6 errata-xmlrpc 2019-12-16 18:34:20 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.5 for RHEL 7

Via RHSA-2019:4242 https://access.redhat.com/errata/RHSA-2019:4242

Comment 7 errata-xmlrpc 2019-12-16 18:36:34 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2019:4243 https://access.redhat.com/errata/RHSA-2019:4243

Comment 8 Product Security DevOps Team 2019-12-16 20:09:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19342


Note You need to log in before you can comment on or make changes to this bug.