RabbitMQ vulnerabilities

435 views
Skip to first unread message

Marco Schmucki

unread,
Feb 2, 2022, 10:38:37 AM2/2/22
to rabbitmq-users
Hi all

We're running RabbitMQ version 3.8.9 and have some security vulnerabilities (see excel-sheet in the attachment).

--> Are these security issues fixed with the latest&greatest RabbitMQ version (3.9.13)?

Many thanks for your feedback.

Best regards,
Marco


RabbitMQ_Security_Issues.xlsx

Wes Peng

unread,
Feb 2, 2022, 6:57:21 PM2/2/22
to rabbitm...@googlegroups.com
Try to run the whole cluster in local net and export no ports to external.
Anyway upgrading to the latest version is a must.

Thanks 

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b53f4090-9eeb-4c7d-9d50-1be3513ba7e6n%40googlegroups.com.

Adam Cammack

unread,
Feb 3, 2022, 10:09:04 AM2/3/22
to rabbitm...@googlegroups.com

Hi Marco,

 

How are you deploying RabbitMQ? None of these vulnerabilities affect the RabbitMQ server. Most of these seem to be for an old golang installation, which is not used by the RabbitMQ server. The OpenSSL vulnerabilities will not affect Erlang since it uses its own TLS implementation using OpenSSL cryptographic primitives and Erlang does not try to use SM2. systemd (CVE-2021-33910) is a part of the operating system itself, and RabbitMQ has no dependency on using a particular version (or any at all, depending on the installation).

 

I strongly recommend patching these by updating Go, OpenSSL, and systemd, and I do recommend upgrading RabbitMQ to get the bug fixes and features from the last year and a half, but these CVEs are not issues with RabbitMQ itself.

 

Hope this helps,

Adam

 

From: rabbitm...@googlegroups.com <rabbitm...@googlegroups.com> On Behalf Of Marco Schmucki
Sent: Wednesday, February 2, 2022 9:39
To: rabbitmq-users <rabbitm...@googlegroups.com>
Subject: RabbitMQ vulnerabilities

 

Hi all

 

We're running RabbitMQ version 3.8.9 and have some security vulnerabilities (see excel-sheet in the attachment).

 

--> Are these security issues fixed with the latest&greatest RabbitMQ version (3.9.13)?

 

Many thanks for your feedback.

 

Best regards,

Marco.

Marco Schmucki

unread,
Feb 4, 2022, 4:06:03 AM2/4/22
to rabbitm...@googlegroups.com
Hi Adam

Many thanks for your feedback.

To your first question "How are you deploying RabbitMQ?": I'm using the official docker-image from docker-hub, following you can see my Dockerfile:

FROM rabbitmq:3.9.13-management
RUN apt-get update && apt-get install tzdata
RUN rabbitmq-plugins enable --offline rabbitmq_shovel
COPY cluster-entrypoint.sh /usr/local/bin/cluster-entrypoint.sh

To your meaning "None of these vulnerabilities affect the RabbitMQ server." and to "but these CVEs are not issues with RabbitMQ itself": Then it must be the debian-operating-system inside of the official rabbitmq-docker-container?

Yes, I've updated my RabbitMQ to 3.9.13 and I will scan it again.

Best rgeards,
Marco

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/KryKieu4btg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/SJ0PR05MB732766220D6FE249A08B51A8A5289%40SJ0PR05MB7327.namprd05.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages