diff --git a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src index 2b572a98c..b8f7b3327 100644 --- a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src +++ b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src @@ -1,6 +1,6 @@ {application, emqx_bridge_rabbitmq, [ {description, "EMQX Enterprise RabbitMQ Bridge"}, - {vsn, "0.1.1"}, + {vsn, "0.1.2"}, {registered, []}, {applications, [kernel, stdlib, ecql, rabbit_common, amqp_client]}, {env, []}, diff --git a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl index 3e809d99c..749cb8bc1 100644 --- a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl +++ b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl @@ -13,6 +13,7 @@ %% Needed to create RabbitMQ connection -include_lib("amqp_client/include/amqp_client.hrl"). +-include_lib("credentials_obfuscation/include/credentials_obfuscation.hrl"). -behaviour(emqx_resource). -behaviour(hocon_schema). @@ -230,6 +231,17 @@ on_start( processed_payload_template => ProcessedTemplate, config => Config }, + %% Initialize RabbitMQ's secret library so that the password is encrypted + %% in the log files. + case credentials_obfuscation:secret() of + ?PENDING_SECRET -> + Bytes = crypto:strong_rand_bytes(128), + %% The password can appear in log files if we don't do this + credentials_obfuscation:set_secret(Bytes); + _ -> + %% Already initialized + ok + end, case emqx_resource_pool:start(InstanceID, ?MODULE, Options) of ok -> {ok, State}; diff --git a/changes/ee/fix-10878.en.md b/changes/ee/fix-10878.en.md new file mode 100644 index 000000000..dc1ea04d9 --- /dev/null +++ b/changes/ee/fix-10878.en.md @@ -0,0 +1 @@ +A vulnerability in the RabbitMQ bridge, which could potentially expose passwords to log files, has been rectified