CVE-2018-1279 — Use of Insufficiently Random Values in Rabbitmq FOR PCF

CWE-330 — Use of Insufficiently Random Values CWE-1241 — Use of Predictable Algorithm in Random Number Generator7 documents7 sources

Severity

6.5MEDIUMNVD

CNA8.5

EPSS

0.4%

top 40.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Rabbitmq FOR PCF Rabbitmq Rabbitmq-server

Timeline

PublishedDec 10

Latest updateMay 13

Description

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5pivotal/rabbitmq_for_pcf1 — all versions*

▶Debianrabbitmq/rabbitmq-server< 3.9.8-5+2

🔴Vulnerability Details

GHSA

GHSA-f9rc-w362-jp2c: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenan↗2022-05-13

▶

CVEList

RabbitMQ cluster compromise due to deterministically generated cookie↗2018-12-10

▶

OSV

CVE-2018-1279: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenan↗2018-12-10

▶

📋Vendor Advisories

Red Hat

rabbitmq-server: Deterministically generated cookie shared between all machines↗2018-12-20

▶

Debian

CVE-2018-1279: rabbitmq-server - Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cooki...↗2018

▶

💬Community

Bugzilla

CVE-2018-1279 rabbitmq-server: Deterministically generated cookie shared between all machines↗2018-12-20

▶