Candidate: CVE-2018-1279
PublicDate: 2018-12-10 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1279
 https://pivotal.io/security/cve-2018-1279
Description:
 Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated
 cookie that is shared between all machines when configured in a
 multi-tenant cluster. A remote attacker who can gain information about the
 network topology can guess this cookie and, if they have access to the
 right ports on any server in the MQ cluster can use this cookie to gain
 full control over the entire cluster.
Ubuntu-Description:
Notes:
 mdeslaur> Debian fixed this in 3.9.8-5 by adding a note to README.Debian
 mdeslaur> explaining how to secure a RabbitMQ cluster
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924768
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_rabbitmq-server:
upstream_rabbitmq-server: released (3.9.8-5)
esm-infra/xenial_rabbitmq-server: needs-triage
trusty_rabbitmq-server: ignored (out of standard support)
xenial_rabbitmq-server: ignored (out of standard support)
bionic_rabbitmq-server: needs-triage
focal_rabbitmq-server: needs-triage
impish_rabbitmq-server: needs-triage
jammy_rabbitmq-server: not-affected (3.9.8-6)
devel_rabbitmq-server: not-affected (3.9.8-6)