Skip to content

[TEN-87733] AMQP Cleartext Authentication — "The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in clear text" #6383

Description

@nandinisingh-1901

SUMMARY

We are unable to resolve the AMQP Cleartext Authentication vulnerability (TEN-87733, CVSSv3 4.3 Medium) on our StackStorm deployment. When we enable TLS on RabbitMQ on port 5671, some StackStorm components fail with ECONNREFUSED errors. This forces us to revert the changes — ssl configuration, revert amqps:// to amqp:// in st2.conf — which brings the vulnerability back.

STACKSTORM VERSION

st2 2.7.2, on Python 2.7

OS, environment, install method
  • OS: Linux (RHEL/CentOS 7)
  • StackStorm: 2.7.2
  • Python: 2.7 (EOL January 2020)
  • RabbitMQ: rabbitmq-server-3.7.15-1.el7.noarch (EOL September 2020)
  • Install method: RPM packages (.el7)

Steps to reproduce the problem

  1. Enable TLS on RabbitMQ 3.7.15 (configure SSL certificates, enable TLS listener on port 5671).
  2. Disable plain-text AMQP listener on port 5671 (we use 5671 as our AMQP port) and enable TLS on the same port.3. Update /etc/st2/st2.conf messaging URL to amqps:// on port 5671.
  3. Update Mistral configuration to use amqps:// with ca_cert.
  4. Restart RabbitMQ and StackStorm services.
  5. Some StackStorm components fail to start with connection errors.

What we tried

  1. Followed StackStorm forum documentation to enable TLS/SSL on RabbitMQ.
  2. Configured RabbitMQ 3.7.15 TLS listener on port 5671 with SSL certificates.
  3. Updated /etc/st2/st2.conf messaging URL from amqp:// to amqps:// on port 5671.
  4. Updated Mistral configuration to use amqps:// with ca_cert.
  5. Restarted RabbitMQ and all StackStorm services.
  6. Result: Some StackStorm components fail with ECONNREFUSED errors.
  7. Had to revert all changes — removed SSL listener, reverted amqps:// to amqp:// in st2 and mistral, removed ca_cert — to restore functionality.
  8. Previously the fix appeared to work for few months after changing the port from 5672 to 5671, after few months it came back.

Expected Results

All StackStorm components (st2api, st2rulesengine, st2actionrunner, mistral) should connect to RabbitMQ over TLS without errors.

Actual Results

When TLS is enabled on RabbitMQ and StackStorm is configured to use amqps://:

  • Some StackStorm components fail to start or throw connection errors.
  • We are forced to revert to clear-text AMQP to keep the platform operational.
  • This brings the vulnerability back.

Error from application logs (/opt/stackstorm/log/st2/):
ERROR connection_retry_wrapper [-] RabbitMQ connection or channel error: [Errno 111] ECONNREFUSED.
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/transport/connection_retry_wrapper.py", line 116, in run
channel = connection.channel()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 266, in channel
chan = self.transport.create_channel(self.connection)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 802, in connection
self._connection = self._establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/connection.py", line 757, in _establish_connection
conn = self.transport.establish_connection()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/kombu/transport/pyamqp.py", line 130, in establish_connection
conn.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/connection.py", line 282, in connect
self.transport.connect()
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 109, in connect
self._connect(self.host, self.port, self.connect_timeout)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/amqp/transport.py", line 150, in _connect
self.sock.connect(sa)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 264, in connect
socket_checkerr(fd)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/eventlet/greenio/base.py", line 50, in socket_checkerr
raise socket.error(err, errno.errorcode[err])
error: [Errno 111] ECONNREFUSED

This error appears in st2api, st2rulesengine, and st2actionrunner logs. The ECONNREFUSED indicates that RabbitMQ's TLS listener is not running or not binding to port 5671 when TLS is enabled.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions