[KBA-79137] Critical vulnerability update for RabbitMQ
A critical vulnerability has been identified in some Genetec products that use the RabbitMQ message broker, a third-party component, to communicate with each other.
The vulnerability might put affected products at risk by allowing malicious actors to bypass the authentication process and impersonate other users. This can occur when the server is configured to use TLS or DTLS authentication.
Applies to
- Mission Control 2.13.1.0 - 2.13.4.x
- Mission Control 2.12.1.5
- Mission Control 2.11 GA and SR1
- Airport Operational Manager (AOM) 1.3 - 1.4
- Industrial IoT 4.4.2.0 - 5.0.0.2
- Inter-System Gateway (IS Gateway) 1.0 - 1.1
- Restricted Security Area (RSA) Surveillance 3.4 - 4.2
- Sipelia 2.8 SR1, 2.9 GA, and 2.10 GA
Cause
This issue, identified as CVE-2022-37026, originates from a bug in Erlang/OTP that is used by the RabbitMQ message broker.
Workaround
- Sipelia: Upgrade Sipelia to version 2.12 GA, available from the GTAP Product Download page.
- All other affected products: Upgrade RabbitMQ to version 3.9.15.1, available from the GTAP
Product Download page.
IMPORTANT: If you are running Genetec Mission Control™ 2.11 GA or SR1, or 2.12.1.0 - 2.12.1.5, manually restart the Genetec™ Server service after the upgrade.
The new RabbitMQ installer enforces a strong password policy, which might require updating your password.
Status
This issue will be resolved in the next releases of the affected products.