mirror of
https://github.com/zulip/zulip.git
synced 2025-11-03 21:43:21 +00:00
CVE-2021-43799: Write rabbitmq configuration before starting.
Zulip writes a `rabbitmq.config` configuration file which locks down RabbitMQ to listen only on localhost:5672, as well as the RabbitMQ distribution port, on localhost:25672. The "distribution port" is part of Erlang's clustering configuration; while it is documented that the protocol is fundamentally insecure ([1], [2]) and can result in remote arbitrary execution of code, by default the RabbitMQ configuration on Debian and Ubuntu leaves it publicly accessible, with weak credentials. The configuration file that Zulip writes, while effective, is only written _after_ the package has been installed and the service started, which leaves the port exposed until RabbitMQ or system restart. Ensure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written before rabbitmq is installed or starts, and that changes to that file trigger a restart of the service, such that the ports are only ever bound to localhost. This does not mitigate existing installs, since it does not force a rabbitmq restart. [1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html [2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system
This commit is contained in:
Alex Vandiver
@@ -121,6 +121,9 @@ log][commit-log] for an up-to-date list of raw changes.
|
||||
|
||||
## Zulip 4.x series
|
||||
|
||||
- Closed access to RabbitMQ port 25672; initial installs tried to
|
||||
close this port, but failed to restart RabbitMQ for the
|
||||
configuration.
|
||||
- Removed the `rabbitmq.nodename` configuration in `zulip.conf`; all
|
||||
RabbitMQ instances will be reconfigured to have a nodename of
|
||||
`zulip@localhost`. You can remove this setting from your
|
||||
|
||||
Reference in New Issue
Block a user