Zulip vulnerability CVE-2021-43799 and RabbitMQ

[gauravdeshmukh612]

This will affect all latest version of RabbitMq and creates issue for installation
I think this is not related to RabbitMq it is released to Zulip server.
Please give your suggestion on this

Link : https://nvd.nist.gov/vuln/detail/CVE-2021-43799

Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.

[michaelklishin]

I will convert this issue to a GitHub discussion. Currently GitHub will automatically close and lock the issue even though your question will be transferred and responded to elsewhere. This is to let you know that we do not intend to ignore this but this is how the current GitHub conversion mechanism makes it seem for the users :(

[michaelklishin]

The vulnerability comes down to port access restrictions used by Zulip, and not in RabbitMQ itself.

Our team does not maintain Zulip, is not involved in its development in any way. There is a workaround provided (ensure that the port in question is not exposed to the public any other way), not sure what else we can suggest.

[gauravdeshmukh612]

Thanks for quick replay !!!

It means that we are safe to use RabbitMQ, if port not open to internet right ??

[michaelklishin]

It means that all other RabbitMQ users are responsible for making sure that ports that don't have to be publicly exposed, aren't. CLI and inter-node communication ports are some obvious candidates. If no client connections are expected from the public Internet, then all ports can be concealed.

Whether you are "safe to use RabbitMQ", I can't know. Infrastructure security is so much more than not exposing ports.