CVE-2016-9877 RabbitMQ authentication vulnerability
Severity
Critical
Vendor
Pivotal
Versions Affected
- Pivotal RabbitMQ:
- 3.x versions prior to 3.5.8
- 3.6.x versions prior to 3.6.6
- RabbitMQ for PCF:
- 1.5.x versions prior to 1.5.20
- 1.6.x versions prior to 1.6.12
- 1.7.x versions prior to 1.7.7
Description
MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
Mitigation
Users of affected standalone RabbitMQ versions should apply the following mitigation:
- Upgrade RabbitMQ 3.x versions to 3.5.8 or later
- Upgrade RabbitMQ 3.6.x versions to 3.6.6 or later
Users of affected Pivotal Cloud Foundry versions should apply the following mitigation:
- Upgrade RabbitMQ for PCF 1.5.x versions to 1.5.20 or later
- Upgrade RabbitMQ for PCF 1.6.x versions to 1.6.12 or later
- Upgrade RabbitMQ for PCF 1.7.x versions to 1.7.7 or later
Operators who cannot immediately upgrade should do the following:
- Enable TLS with client-provided certificates for MQTT connections
- Switch to unique (difficult to guess) usernames