Skip to content

Predictable credential obfuscation seed value used in Shovel and Federation plugins

Moderate
michaelklishin published GHSA-v9gv-xp36-jgj8 Oct 5, 2022

Package

rabbitmq-server (RabbitMQ)

Affected versions

<3.10.2
<3.9.18
<3.8.32

Patched versions

3.10.2
3.9.18
3.8.32

Description

Impact

Shovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt
the URI was seeded with a predictable secret.

This means that in case of certain exceptions related to Shovel and Federation plugins,
reasonably easily deobfuscatable data could appear in the node log.

Patched versions correctly use a cluster-wide secret for that purpose.

Patches

Patched versions:

  • 3.10.2
  • 3.9.18
  • 3.8.32

Workarounds

Disable Shovel and Federation plugins.

Credits

RabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions
for responsibly disclosing and working with us on a patch for this vulnerability.

For more information

Severity

Moderate
5.5
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-31008

Weaknesses

No CWEs