default account "guest" has administrator privileges

Bug #1508698 reported by Paul Collins
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rabbitmq-server (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

rabbitmq by default creates an account named "guest" with the password "guest". This account has administrative privileges, and up until version 3.3.0, it is also usable over the network. The version in trusty is 3.2.4.

https://www.rabbitmq.com/access-control.html

https://www.rabbitmq.com/blog/2014/04/02/breaking-things-with-rabbitmq-3-3/

This appears to be common knowledge (so my filing this as a private security bug may be overzealous) and indeed is relied upon in many places. I discovered it while working on an internal monitoring script, and here's another example: https://bugs.launchpad.net/openstack-manuals/+bug/1390419

Since it would not affect existing installations, it may be reasonable to alter this behaviour, even in a stable release.

Tags: security
Paul Collins (pjdc)
description: updated
information type: Private Security → Public Security
Changed in rabbitmq-server (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.