SUMMARY
We are unable to resolve the AMQP Cleartext Authentication vulnerability (TEN-87733, CVSSv3 4.3 Medium) on our StackStorm deployment. When we enable TLS on RabbitMQ on port 5671, some StackStorm components fail with ECONNREFUSED errors. This forces us to revert the changes — ssl configuration, revert amqps:// to amqp:// in st2.conf — which brings the vulnerability back.
STACKSTORM VERSION
st2 2.7.2, on Python 2.7
OS, environment, install method
- OS: Linux (RHEL/CentOS 7)
- StackStorm: 2.7.2
- Python: 2.7 (EOL January 2020)
- RabbitMQ: rabbitmq-server-3.7.15-1.el7.noarch (EOL September 2020)
- Install method: RPM packages (.el7)
Steps to reproduce the problem
- Enable TLS on RabbitMQ 3.7.15 (configure SSL certificates, enable TLS listener on port
5671).
- Disable plain-text AMQP listener on port 5671 (we use 5671 as our AMQP port) and enable TLS on the same port.3. Update
/etc/st2/st2.conf messaging URL to amqps:// on port 5671.
- Update Mistral configuration to use
amqps:// with ca_cert.
- Restart RabbitMQ and StackStorm services.
- Some StackStorm components fail to start with connection errors.
What we tried
- Followed StackStorm forum documentation to enable TLS/SSL on RabbitMQ.
- Configured RabbitMQ 3.7.15 TLS listener on port
5671 with SSL certificates.
- Updated
/etc/st2/st2.conf messaging URL from amqp:// to amqps:// on port 5671.
- Updated Mistral configuration to use
amqps:// with ca_cert.
- Restarted RabbitMQ and all StackStorm services.
- Result: Some StackStorm components fail with
ECONNREFUSED errors.
- Had to revert all changes — removed SSL listener, reverted
amqps:// to amqp:// in st2 and mistral, removed ca_cert — to restore functionality.
- Previously the fix appeared to work for few months after changing the port from 5672 to 5671, after few months it came back.
Expected Results
All StackStorm components (st2api, st2rulesengine, st2actionrunner, mistral) should connect to RabbitMQ over TLS without errors.
Actual Results
When TLS is enabled on RabbitMQ and StackStorm is configured to use amqps://:
- Some StackStorm components fail to start or throw connection errors.
- We are forced to revert to clear-text AMQP to keep the platform operational.
- This brings the vulnerability back.
Error from application logs (/opt/stackstorm/log/st2/):
ERROR connection_retry_wrapper [-] RabbitMQ connection or channel error: [Errno 111] ECONNREFUSED.
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/transport/connection_retry_wrapper.py", line 116, in run
channel = connection.channel()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 266, in channel
chan = self.transport.create_channel(self.connection)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 802, in connection
self._connection = self._establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 757, in _establish_connection
conn = self.transport.establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/transport/pyamqp.py", line 130, in establish_connection
conn.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/connection.py", line 282, in connect
self.transport.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 109, in connect
self._connect(self.host, self.port, self.connect_timeout)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 150, in _connect
self.sock.connect(sa)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 264, in connect
socket_checkerr(fd)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 50, in socket_checkerr
raise socket.error(err, errno.errorcode[err])
error: [Errno 111] ECONNREFUSED
This error appears in st2api, st2rulesengine, and st2actionrunner logs. The ECONNREFUSED indicates that RabbitMQ's TLS listener is not running or not binding to port 5671 when TLS is enabled.
Thanks!
SUMMARY
We are unable to resolve the AMQP Cleartext Authentication vulnerability (TEN-87733, CVSSv3 4.3 Medium) on our StackStorm deployment. When we enable TLS on RabbitMQ on port 5671, some StackStorm components fail with
ECONNREFUSEDerrors. This forces us to revert the changes — ssl configuration, revertamqps://toamqp://in st2.conf — which brings the vulnerability back.STACKSTORM VERSION
st2 2.7.2, on Python 2.7
OS, environment, install method
Steps to reproduce the problem
5671)./etc/st2/st2.confmessaging URL toamqps://on port5671.amqps://with ca_cert.What we tried
5671with SSL certificates./etc/st2/st2.confmessaging URL fromamqp://toamqps://on port5671.amqps://with ca_cert.ECONNREFUSEDerrors.amqps://toamqp://in st2 and mistral, removed ca_cert — to restore functionality.Expected Results
All StackStorm components (st2api, st2rulesengine, st2actionrunner, mistral) should connect to RabbitMQ over TLS without errors.
Actual Results
When TLS is enabled on RabbitMQ and StackStorm is configured to use
amqps://:Error from application logs (
/opt/stackstorm/log/st2/):ERROR connection_retry_wrapper [-] RabbitMQ connection or channel error: [Errno 111] ECONNREFUSED.
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/transport/connection_retry_wrapper.py", line 116, in run
channel = connection.channel()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 266, in channel
chan = self.transport.create_channel(self.connection)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 802, in connection
self._connection = self._establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 757, in _establish_connection
conn = self.transport.establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/transport/pyamqp.py", line 130, in establish_connection
conn.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/connection.py", line 282, in connect
self.transport.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 109, in connect
self._connect(self.host, self.port, self.connect_timeout)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 150, in _connect
self.sock.connect(sa)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 264, in connect
socket_checkerr(fd)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 50, in socket_checkerr
raise socket.error(err, errno.errorcode[err])
error: [Errno 111] ECONNREFUSED
This error appears in st2api, st2rulesengine, and st2actionrunner logs. The
ECONNREFUSEDindicates that RabbitMQ's TLS listener is not running or not binding to port5671when TLS is enabled.Thanks!