About CVE-2018-1279 (from 2018) #13764
-
Community Support Policy
RabbitMQ version used4.0.3 How is RabbitMQ deployed?RPM package Steps to reproduce the behavior in questioncan any one guide me is there any version that does not have this vulnerability.. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@ramagopalg You are looking at a false positive. In any case, you can pre-generate any shared secret you want without relying on the default value generation. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the inputs. But, i did not understand why its false positive. When i down load the rabbit MQ rpm file below and did scan through Xray , its showing that high vulnerability. https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.0.3 The confusion for me is that why that flaw ( from 2018) is showing when we scan latest versions like 4.03/4.0.4/4.0.5 etc ? I am planning to use my own secret for erlang cookie . With that , don't we need to worry about that flaw ? |
Beta Was this translation helpful? Give feedback.
-
|
@ramagopalg both of your questions are answered in the very message you are responding to, please take some time to read it carefully. This is not a vulnerability in RabbitMQ. The cookie is generated by the Erlang runtime, not RabbitMQ. It is only generated if the file does not already exist. |
Beta Was this translation helpful? Give feedback.
@ramagopalg
CVE-2018-1279is from 2018 and specific to what is called Tanzu RabbitMQ today.You are looking at a false positive. In any case, you can pre-generate any shared secret you want without relying on the default value generation.