[Security] 3.3.x rabbitmq_management incorrectly trusts "X-Forwarded-For" header
467 views
Skip to first unread message
Simon MacMullen
Oct 21, 2014, 10:30:55 AM10/21/14
to rabbitm...@googlegroups.com
RabbitMQ 3.3.0 introduced a mechanism (the 'loopback_users'
configuration item) allowing access for some users to be restricted to
only connect via localhost. By default the "guest" user is restricted in
this way.
Unfortunately, the HTTP framework used by the management plugin trusts
the easily-forged "X-Forwarded-For" header when determining the remote
address. It is therefore possible to subvert this access control
mechanism for the HTTP API. Attackers would still need to know or guess
the username and password.
This bug is fixed in the 3.4.0 release. Users of RabbitMQ 3.3.x who rely
on 'loopback_users' and cannot immediately upgrade to 3.4.0 can also
download an updated management plugin from:
http://www.rabbitmq.com/releases/plugins/v3.3.x/rabbitmq_management-3.3.5.bug26414.ez
and install it as documented at:
http://www.rabbitmq.com/installing-plugins.html
This is based on the management plugin from RabbitMQ 3.3.5. It is safe
to install on a machine running previous versions of RabbitMQ as early
as 3.3.0; earlier versions did not have this access control mechanism so
there is nothing to fix.
If installed on RabbitMQ 3.3.0 or 3.3.1 the updated plugin will
therefore also fix the following bugs:
(Originally fixed in 3.3.1)
bug fixes
26140 prevent malformed message being created when publishing with
priority or timestamp properties set (since 2.4.0)
26110 ensure statistics database GC works in a timely manner when the
number of objects tracked grows rapidly (since 3.1.0)
26124 prevent "" being added as the last element of an array when adding
an array to queue or exchange arguments via the web UI (since
3.2.0)
(Originally fixed in 3.3.2)
bug fixes
26197 fix garbled error message if importing JSON definitions file with
invalid input (since 2.1.0)
26209 ensure reasons for authentication failure are always logged
(since 2.1.0)
enhancements
25376 add documentation on the JSON schema returned by GET queries
Cheers, Simon
configuration item) allowing access for some users to be restricted to
only connect via localhost. By default the "guest" user is restricted in
this way.
Unfortunately, the HTTP framework used by the management plugin trusts
the easily-forged "X-Forwarded-For" header when determining the remote
address. It is therefore possible to subvert this access control
mechanism for the HTTP API. Attackers would still need to know or guess
the username and password.
This bug is fixed in the 3.4.0 release. Users of RabbitMQ 3.3.x who rely
on 'loopback_users' and cannot immediately upgrade to 3.4.0 can also
download an updated management plugin from:
http://www.rabbitmq.com/releases/plugins/v3.3.x/rabbitmq_management-3.3.5.bug26414.ez
and install it as documented at:
http://www.rabbitmq.com/installing-plugins.html
This is based on the management plugin from RabbitMQ 3.3.5. It is safe
to install on a machine running previous versions of RabbitMQ as early
as 3.3.0; earlier versions did not have this access control mechanism so
there is nothing to fix.
If installed on RabbitMQ 3.3.0 or 3.3.1 the updated plugin will
therefore also fix the following bugs:
(Originally fixed in 3.3.1)
bug fixes
26140 prevent malformed message being created when publishing with
priority or timestamp properties set (since 2.4.0)
26110 ensure statistics database GC works in a timely manner when the
number of objects tracked grows rapidly (since 3.1.0)
26124 prevent "" being added as the last element of an array when adding
an array to queue or exchange arguments via the web UI (since
3.2.0)
(Originally fixed in 3.3.2)
bug fixes
26197 fix garbled error message if importing JSON definitions file with
invalid input (since 2.1.0)
26209 ensure reasons for authentication failure are always logged
(since 2.1.0)
enhancements
25376 add documentation on the JSON schema returned by GET queries
Cheers, Simon
Reply all
Reply to author
Forward
0 new messages