Tower does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.
Find out more about CVE-2018-16879 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat CloudForms version 4.6 ships an ansible-tower which correctly sets the security channel. Red Hat CloudForms version 4.7 ships ansible-tower 3.3.3 which already contains the fix.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat Ansible Tower 3 for RHEL 7 | ansible-tower-server | Affected |
Vulmon