| 2018-09-10 23:03:34 |
Joshua Padman |
description |
Hi,
Recently it was seen that Kolla was including a RabbitMQ plugin which is downloaded from the RabbitMQ website using HTTP. This file is then included without validation.
This could allow for the injection of code during the build. The website and download is also served on HTTPS with a valid certificate, which should be sufficient mitigation.
Code affected:
https://git.openstack.org/cgit/openstack/kolla/tree/docker/rabbitmq/Dockerfile.j2#n55
There is a current git that may mitigate this for debian installs:
https://git.openstack.org/cgit/openstack/kolla/commit/?id=4d8f5497d25a2150c3a11d9537a5c0a2005ce009
Downstream at Red Hat we will most likely be removing the download and not using the plugin moving forward.
The following CVE was assigned CVE-2018-14620. We are working to ship fixes soon. |
Hi,
Recently it was seen that Kolla was including a RabbitMQ plugin which is downloaded from the RabbitMQ website using HTTP. This file is then included without validation.
This could allow for the injection of code during the build. The website and download is also served on HTTPS with a valid certificate, which should be sufficient mitigation in many cases. However, verification of the binary via checksum would be even better.
Code affected:
https://git.openstack.org/cgit/openstack/kolla/tree/docker/rabbitmq/Dockerfile.j2#n55
There is a current git that may mitigate this for debian installs:
https://git.openstack.org/cgit/openstack/kolla/commit/?id=4d8f5497d25a2150c3a11d9537a5c0a2005ce009
Downstream at Red Hat we will most likely be removing the download and not using the plugin moving forward.
The following CVE was assigned CVE-2018-14620. We are working to ship fixes soon. |
|
