RabbitMq 3.8 Security Vulenrabilities
389 views
Skip to first unread message
Sharique Alam
Oct 16, 2019, 6:06:06 AM10/16/19
to rabbitmq-users
@Luke Bakken
Thanks , i have upgraded RabbitMq to 3.8 and Erlang to 22.1.3 version.
The following security issues are fixed.
jQuery Vulnerability: CVE-2012-6708 (jquery-cve-2012-6708)
jQuery Vulnerability: CVE-2014-6071 (jquery-cve-2014-6071)
But we still see the following . Could you please let us know if we have a solution for these.
DOM-based Cross Site Scripting Vulnerability (http-client-side-xss)
Click Jacking (http-generic-click-jacking) on port 15672
Thanks & Regards,
Sharique Alam
Luke Bakken
Oct 16, 2019, 1:33:49 PM10/16/19
to rabbitmq-users
Hello,
We can't do anything with this report, because we have no idea how to reproduce "DOM-based Cross Site Scripting Vulnerability" or "Click Jacking".
Please provide concrete reproduction steps. If you are using an automatic scanner, at the very least let us know what product it is and share more details about exactly how the scan is performed for those two issues. Maybe a log file can tell us exactly what HTTP request or requests triggered these warnings.
Thanks,
Luke
Originally reported here:
Sharique Alam
Oct 16, 2019, 2:12:23 PM10/16/19
to rabbitmq-users
Hi Luke,
Regarding the Dom xss vulnerability ,the following is mentioned.
Thanks for your help.
Client is using netsparker tool to do the security scan.
Regarding the Dom xss vulnerability ,the following is mentioned.
Hope it gives some context.
In http://<hostname>:15672/js/main.jsLine 53:Unsafe client output calling window.location.replace() with tainted argLine 52:Assignment of "location" to user-controlled valueLine 52:Result of taint-preserving function call on user-controlled valueLine 52:"location.substr" is controlled by the user
In http://<hostname>:15672/js/main.jsLine 69:Unsafe client output calling window.location.replace() with tainted argLine 67:Assignment of "location" to user-controlled valueLine 67:String concatenation with usercontrolled valueLine 67:String concatenation with user-controlled valueLine 67:Result of taint-preserving function call on user-controlled valueLine 67:"location.substr" is controlled by the user
Thanks.
Thanks.
Michael Klishin
Oct 16, 2019, 2:22:26 PM10/16/19
to rabbitmq-users
RabbitMQ 3.8 ships with jQuery 3.4.1 [1]. We upgraded to it three months ago.
The CVEs in question affect jQuery 1.4 and 1.9 [2][3]. Something (e.g. a browser cache)
cause an old version to load in your environment.
Michael Klishin
Oct 16, 2019, 2:26:12 PM10/16/19
to rabbitmq-users
If head to https://www.rabbitmq.com/ and scroll down, you will find a link for responsible vulnerability disclosure.
What you are doing here is neither responsible [as in stablished security practices] nor productive.
Not every security scan warning is an actual vulnerability and not every vulnerability can be practically exploited.
See what the functions do for yourself [1].
We have plans to ship a new management UI code in 3.9. For now we would appreciate specific actionable
advice on such warnings, reported responsibly in private.
On Wednesday, October 16, 2019 at 9:12:23 PM UTC+3, Sharique Alam wrote:
Luke Bakken
Oct 16, 2019, 2:26:31 PM10/16/19
to rabbitmq-users
Hi Sharique,
The code causing those alerts can be found here:
I can't really see what the issue is. This code has been in use for at least 3 years without issue or report of security problems. If your team would like to submit a pull request to address this "security alert" while preserving the current behavior, we would gladly review it.
For what it's worth, the RabbitMQ management interface is intended to be used by operators and not be generally available via a public address.
Thanks,
Luke
Wesley Peng
Oct 16, 2019, 2:38:17 PM10/16/19
to rabbitm...@googlegroups.com
I agree with Luke, the management GUI should be limited to access from within internal, open accessibility to that console from outer is always dangerous.
Regards
Luke Bakken <lba...@pivotal.io>于2019年10月17日 周四上午2:26写道:
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/83a45cda-0aec-4966-95fd-ccf74330d2aa%40googlegroups.com.
Sharique Alam
Oct 17, 2019, 3:40:08 AM10/17/19
to rabbitmq-users
Thanks Luke , Michael and Wesley for your inputs.
I dont have issue with any of the vulnerabilities , its just that our customer is reporting these vulnerabilties and want these to be fixed.
As far as i understand please let me know if we have a solution for below pending vulnerabilities which came up in report .
If not restricting access to management UI is the only solution then please confirm .
DOM-based Cross Site Scripting Vulnerability (http-client-side-xss)
Click Jacking (http-generic-click-jacking) on port 1567
Thanks in advance for all your help.
Michael Klishin
Oct 17, 2019, 4:14:02 AM10/17/19
to rabbitmq-users
We cannot comment on one line descriptions, even if they are used by OWASP [2]. We need specific
steps to reproduce and I'm afraid "buy a license of X and run a scan" is not something we can work with.
For example, CVE IDs are specific and in most cases actionable. "Client side XSS" is a broad range of possible attacks,
many of which require a pretty specific set of circumstances. We have addressed at least three XSS vulnerabilities in the last
couple of years IIRC [1].
FWIW RabbitMQ management UI requires user authentication and elevated privileges before it can be accessed.
In 3.8 you don't have to enable it to get monitoring and metrics [3][4] which side steps any UI code-related
issues found by the scanner, whether they are legitimate or not.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/5812c363-6039-49e4-b249-01e52e442b13%40googlegroups.com.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages