File fix-CVE-2022-31008-1.patch of Package rabbitmq-server.31584
From eb41cc0f43ae0eaf8554a68736e0415f1b711ad5 Mon Sep 17 00:00:00 2001
From: Lajos Gerecs <lajos.gerecs@erlang-solutions.com>
Date: Fri, 6 May 2022 14:58:50 +0200
Subject: [PATCH] implement fallback secret for credentials obfuscation
Author: Lajos Gerecs <lajos.gerecs@erlang-solutions.com>
(cherry picked from commit 25f8a9611bf8de61ac743442a9e9978ad535b7ee)
(cherry picked from commit 8b67133dd2044715075302b3fa08ed001c07f4a9)
# Conflicts:
# deps/rabbit/Makefile
# deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
(cherry picked from commit fe1e1668a2344d20c5961bad4b2876fd372bd0e6)
# Conflicts:
# deps/rabbit/Makefile
# deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
---
deps/rabbit/Makefile | 12 +++++++
.../src/rabbit_prelaunch_conf.erl | 33 +++++++++++++++++
.../src/rabbit_prelaunch_dist.erl | 20 +++++++++++
5 files changed, 111 insertions(+), 1 deletion(-)
Index: rabbitmq-server-3.8.11/deps/rabbit/Makefile
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/Makefile
+++ rabbitmq-server-3.8.11/deps/rabbit/Makefile
@@ -118,7 +118,19 @@ define PROJECT_ENV
{writer_gc_threshold, 1000000000},
%% interval at which connection/channel tracking executes post operations
{tracking_execution_timeout, 15000},
+<<<<<<< HEAD
{track_auth_attempt_source, false}
+=======
+ {stream_messages_soft_limit, 256},
+<<<<<<< HEAD
+ {track_auth_attempt_source, false}
+=======
+ {track_auth_attempt_source, false},
+ {credentials_obfuscation_fallback_secret, <<"nocookie">>},
+ {dead_letter_worker_consumer_prefetch, 32},
+ {dead_letter_worker_publisher_confirm_timeout, 180000}
+>>>>>>> 8b67133dd2 (implement fallback secret for credentials obfuscation)
+>>>>>>> fe1e1668a2 (implement fallback secret for credentials obfuscation)
]
endef
Index: rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
+++ rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
@@ -66,10 +66,16 @@ setup(Context) ->
#{config_files => [],
config_advanced_file => undefined}
end,
+<<<<<<< HEAD
ok = override_with_hard_coded_critical_config(),
ok = set_credentials_obfuscation_secret(),
rabbit_log_prelaunch:debug(
"Saving config state to application env: ~p", [State]),
+=======
+ ?LOG_DEBUG(
+ "Saving config state to application env: ~p", [State],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+>>>>>>> fe1e1668a2 (implement fallback secret for credentials obfuscation)
store_config_state(State).
store_config_state(ConfigState) ->
@@ -379,6 +385,7 @@ apply_app_env_vars(App, [{Var, Value} |
apply_app_env_vars(_, []) ->
ok.
+<<<<<<< HEAD
set_credentials_obfuscation_secret() ->
rabbit_log_prelaunch:debug(
"Refreshing credentials obfuscation configuration from env: ~p",
@@ -388,6 +395,32 @@ set_credentials_obfuscation_secret() ->
rabbit_log_prelaunch:debug(
"Setting credentials obfuscation secret to '~s'", [CookieBin]),
ok = credentials_obfuscation:set_secret(CookieBin).
+=======
+log_app_env_var(password = Var, _) ->
+ ?LOG_DEBUG(" - ~s = ********", [Var],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) when is_list(Value) ->
+ %% To redact sensitive entries,
+ %% e.g. {password,"********"} for stream replication over TLS
+ Redacted = redact_env_var(Value),
+ ?LOG_DEBUG(" - ~s = ~p", [Var, Redacted],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) ->
+ ?LOG_DEBUG(" - ~s = ~p", [Var, Value],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}).
+
+redact_env_var(Value) when is_list(Value) ->
+ redact_env_var(Value, []);
+redact_env_var(Value) ->
+ Value.
+
+redact_env_var([], Acc) ->
+ lists:reverse(Acc);
+redact_env_var([{password, _Value} | Rest], Acc) ->
+ redact_env_var(Rest, Acc ++ [{password, "********"}]);
+redact_env_var([AppVar | Rest], Acc) ->
+ redact_env_var(Rest, [AppVar | Acc]).
+>>>>>>> 8b67133dd2 (implement fallback secret for credentials obfuscation)
%% -------------------------------------------------------------------
%% Config decryption.
Index: rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
+++ rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
@@ -23,6 +23,8 @@ setup(#{nodename := Node, nodename_type
throw({error, {erlang_dist_running_with_unexpected_nodename,
Unexpected, Node}})
end,
+ ok = set_credentials_obfuscation_secret(),
+
ok.
do_setup(#{nodename := Node, nodename_type := NameType}) ->
@@ -102,3 +104,21 @@ dist_port_use_check_fail(Port, Host) ->
[Name] ->
throw({error, {dist_port_already_used, Port, Name, Host}})
end.
+
+set_credentials_obfuscation_secret() ->
+ ?LOG_DEBUG(
+ "Refreshing credentials obfuscation configuration from env: ~p",
+ [application:get_all_env(credentials_obfuscation)],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+ ok = credentials_obfuscation:refresh_config(),
+ CookieBin = rabbit_data_coercion:to_binary(erlang:get_cookie()),
+ ?LOG_DEBUG(
+ "Setting credentials obfuscation secret to '~s'", [CookieBin],
+ #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+ ok = credentials_obfuscation:set_secret(CookieBin),
+ Fallback = application:get_env(rabbit,
+ credentials_obfuscation_fallback_secret,
+ <<"nocookie">>),
+ ok = credentials_obfuscation:set_fallback_secret(Fallback).
+
+
\ No newline at end of file
