Overview

CVE-2014-9568 - Potential information leakage in puppetlabs-rabbitmq facts handling

  • Posted January 27, 2015

  • Assessed Risk Level: Low

An issue exists in puppetlabs-rabbitmq where the content of ‘/var/lib/rabbitmq/.erlang.cookie' is added to a node's facts.

A non-privileged local user could access the RabbitMQ Erlang cookie value via Facter. In addition, the Erlang cookie information could be unintentionally exposed through third-party applications that display facts.

Users should upgrade the puppetlabs-rabbitmq module to puppetlabs-rabbitmq 5.0.

Thanks to Luca Bruno for responsibly disclosing this issue to us.

CVSS v2 Score: 1.3

Vector AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

Status:

Affected Software Versions:

  • puppetlabs-rabbitmq 3.0 - 4.1

Resolved in:

  • puppetlabs-rabbitmq 5.0