Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799416 (CVE-2021-32718, CVE-2021-32719) - <net-misc/rabbitmq-server-3.8.19: multiple vulnerabilities (CVE-2021-{32718,32719})
Summary: <net-misc/rabbitmq-server-3.8.19: multiple vulnerabilities (CVE-2021-{32718,3...
Status: IN_PROGRESS
Alias: CVE-2021-32718, CVE-2021-32719
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa? cleanup]
Keywords:
Depends on: 805023
Blocks: CVE-2021-22116
  Show dependency tree
 
Reported: 2021-07-01 02:24 UTC by John Helmert III
Modified: 2021-08-19 17:45 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/rabbitmq-server-3.8.19-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-01 02:24:28 UTC
CVE-2021-32718 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

CVE-2021-32719 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.


Please bump to 3.8.18.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-18 17:56:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc357e6ce980ecef8c70a10cbb550654da494821

commit cc357e6ce980ecef8c70a10cbb550654da494821
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-07-18 17:53:49 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-07-18 17:56:39 +0000

    net-misc/rabbitmq-server: bump to version 3.8.19
    
    Bug: https://bugs.gentoo.org/797217
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/701252
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 +
 .../rabbitmq-server/rabbitmq-server-3.8.19.ebuild  | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2021-08-16 05:13:47 UTC
amd64 stable
Comment 3 Sam James archtester gentoo-dev Security 2021-08-19 01:07:37 UTC
x86 done

all arches done
Comment 4 John Helmert III gentoo-dev Security 2021-08-19 17:45:42 UTC
Please cleanup.