(RHSA-2016:0368) Moderate: rabbitmq-server security update

2016-03-09T03:44:40
ID RHSA-2016:0368
Type redhat
Reporter RedHat
Modified 2018-06-07T02:48:07

Description

RabbitMQ is an implementation of AMQP, the emerging standard for high performance enterprise messaging. The RabbitMQ server is a robust and scalable implementation of an AMQP broker.

A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). (CVE-2014-9649)

A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL could be specified, which then caused an arbitrary additional header to be returned. A remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain access to secure data. (CVE-2014-9650)

All rabbitmq-server users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.