RabbitMQ downloads binary over http without verification

Bug #1791674 reported by Joshua Padman
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Undecided
Unassigned

Bug Description

Hi,

Recently it was seen that Kolla was including a RabbitMQ plugin which is downloaded from the RabbitMQ website using HTTP. This file is then included without validation.

This could allow for the injection of code during the build. The website and download is also served on HTTPS with a valid certificate, which should be sufficient mitigation in many cases. However, verification of the binary via checksum would be even better.

Code affected:
https://git.openstack.org/cgit/openstack/kolla/tree/docker/rabbitmq/Dockerfile.j2#n55

There is a current git that may mitigate this for debian installs:
https://git.openstack.org/cgit/openstack/kolla/commit/?id=4d8f5497d25a2150c3a11d9537a5c0a2005ce009

Downstream at Red Hat we will most likely be removing the download and not using the plugin moving forward.

The following CVE was assigned CVE-2018-14620. We are working to ship fixes soon.

CVE References

Revision history for this message
Joshua Padman (jpadman) wrote :

This is essentially happening in the following bug too:
https://bugs.launchpad.net/tripleo/+bug/1791077

Revision history for this message
Joshua Padman (jpadman) wrote :

Spoke with Martin André about this bug and the potential for others like it. The bug is not particular serious and it would be good to open discussion about this and other potential bugs. Therefore I have set it to a "public security" bug.

I was unable to link the CVE as it was listed as invalid. Will try again soon.

information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/601322

Joshua Padman (jpadman)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla (master)

Reviewed: https://review.openstack.org/601322
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=27bab79096584b50947f0d81d41ad2e143c1041e
Submitter: Zuul
Branch: master

commit 27bab79096584b50947f0d81d41ad2e143c1041e
Author: Martin André <email address hidden>
Date: Mon Sep 10 18:49:02 2018 +0200

    Download binaries more securely

    Obtain binaries from encrypted source when we're unable to check for
    their signatures. This should provide better security than downloading
    the files over HTTP but does not replace signature verification or file
    integrity check.

    Related-Bug: #1791674
    Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd

Changed in kolla:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers