Security vulnerabilities that affect the default version of RabbitMQ installed with Carousel 7 have been identified. At this time of this article’s posting, those are:
Note that the vulnerabilities are not within the Carousel 7 software itself but a dependent resource installed along with Carousel 7 (similar to SQL or IIS).
Affected Versions
RabbitMQ versions prior to 3.8.16, which were installed with:
-
Carousel 6.6.0 - 6.6.3
-
Carousel 7.0.0 - 7.0.11
-
Carousel 7.1.0 - 7.1.2
-
Carousel 7.2.0 - 7.2.3
-
Carousel 7.3.0 - 7.3.7
-
Carousel 7.4.0 - 7.4.8
-
Carousel 7.5.0 - 7.5.6
Impacts
These vulnerabilities allow for: the addition of arbitrary plugins, possible denial of service attacks from sending malicious AMQP messages, or JavaScript code execution in the context of the page (if the user is signed in and has elevated permissions).
Not all of Carousel's implementation of RabbitMQ are impacted by these, as the default configuration of the program is limited to performing operations locally on the Carousel server, so desktop-level user access would be required to exploit.
Patching/Solutions
Update to RabbitMQ v3.8.19
-
Stop the Carousel Service in Windows
-
Stop the Carousel Rendering Service in Windows
-
Uninstall RabbitMQ
-
Uninstall ErlangOTP
-
Download and install ErlangOTP v24
https://erlang.org/download/otp_win64_24.0.exe -
Download and install RabbitMQ v3.8.19
https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.8.19/rabbitmq-server-3.8.19.exe -
Reboot the system
-
In some cases, you may need to start the Carousel Service after rebooting manually.