PT-2018-12620 · Red Hat · Red Hat Openstack+1

Published

2018-09-10

Updated

2021-08-04

CVE-2018-14620

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenStack RabbitMQ container image versions as shipped with Red Hat Openstack 12, 13, 14

Description The issue arises from the insecure retrieval of the rabbitmq clusterer component over HTTP during the build stage of the OpenStack RabbitMQ container image. This could potentially allow an attacker to serve malicious code to the image builder, resulting in the installation of malicious code in the resultant container image.

Recommendations For versions as shipped with Red Hat Openstack 12, 13, 14, consider disabling the insecure retrieval of the rabbitmq clusterer component over HTTP as a temporary workaround until a patch is available. Restrict access to the build stage of the OpenStack RabbitMQ container image to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-494CWE-20

Related Identifiers

CVE-2018-14620

Affected Products

Openstack Rabbitmq

Red Hat Openstack

PT-2018-12620 · Red Hat · Red Hat Openstack+1

CVE-2018-14620

Weakness Enumeration

Related Identifiers

Affected Products

References · 5