| 2015-10-21 22:32:31 |
Paul Collins |
description |
Up until version 3.3.0, rabbitmq by default creates an account named "guest" with the password "guest". This account is usable over the network, and it also has administrative privileges. The version in trusty is 3.2.4.
https://www.rabbitmq.com/access-control.html
https://www.rabbitmq.com/blog/2014/04/02/breaking-things-with-rabbitmq-3-3/
This appears to be common knowledge (so my filing this as a private security bug may be overzealous) and indeed is relied upon in many places. I discovered it while working on an internal monitoring script, and here's another example: https://bugs.launchpad.net/openstack-manuals/+bug/1390419
Since it would not affect existing installations, it may be reasonable to alter this behaviour, even in a stable release. |
rabbitmq by default creates an account named "guest" with the password "guest". This account has administrative privileges, and up until version 3.3.0, it is also usable over the network. The version in trusty is 3.2.4.
https://www.rabbitmq.com/access-control.html
https://www.rabbitmq.com/blog/2014/04/02/breaking-things-with-rabbitmq-3-3/
This appears to be common knowledge (so my filing this as a private security bug may be overzealous) and indeed is relied upon in many places. I discovered it while working on an internal monitoring script, and here's another example: https://bugs.launchpad.net/openstack-manuals/+bug/1390419
Since it would not affect existing installations, it may be reasonable to alter this behaviour, even in a stable release. |
|
