populate some CVEs in the cpp-broker and java-broker
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/79eb6b38 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/79eb6b38 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/79eb6b38 Branch: refs/heads/asf-site Commit: 79eb6b382ac8e90c9b9f0c5a209775b0eca74da6 Parents: 022695b Author: Lorenz Quack <[email protected]> Authored: Wed Jun 1 11:28:19 2016 +0100 Committer: Lorenz Quack <[email protected]> Committed: Wed Jun 1 11:28:19 2016 +0100 ---------------------------------------------------------------------- input/components/cpp-broker/security.md | 167 +++++++++++++++++++++++++- input/components/java-broker/security.md | 90 +++++++++++++- 2 files changed, 250 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/79eb6b38/input/components/cpp-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md index 1ec9682..8dd34d2 100644 --- a/input/components/cpp-broker/security.md +++ b/input/components/cpp-broker/security.md @@ -6,9 +6,9 @@ ;; to you under the Apache License, Version 2.0 (the ;; "License"); you may not use this file except in compliance ;; with the License. You may obtain a copy of the License at -;; +;; ;; http://www.apache.org/licenses/LICENSE-2.0 -;; +;; ;; Unless required by applicable law or agreed to in writing, ;; software distributed under the License is distributed on an ;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY @@ -23,6 +23,167 @@ ## C++ Broker -TBD +<table> + <thead> + <tr> + <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>CVE-2015-0224</td> + <td>Moderate</td> + <td>0.30 and earlier</td> + <td>0.32 and later</td> + <td>qpidd can be crashed by unauthenticated user + <a id="CVE_2015_0224_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2015_0224_details"> + <p>Description: In CVE-2015-0203 it was announced that + certain unexpected protocol sequences cause the broker + process to crash due to insufficient checking, but that + authentication could be used to restrict the exploitation + of this vulnerability.<br/> It has now been discovered + that in fact failing authentication does not necessarily + prevent exploitation of those reported + vulnerabilities.<br/> Further, it was stated that one of + the specific vulnerabilities was that the qpidd broker can + be crashed by sending it a sequence-set containing an + invalid range, where the start of the range is after the + end. This was an incorrect analysis of the vulnerability, + which is in fact caused by a sequence-set containing a + single range expressing the maximum possible gap.</p> + + <p>Solution: A further patch is available that handles a + range expressing the maximum possible gap without assertion + (<a href="https://issues.apache.org/jira/browse/QPID-6310";>QPID-6310</a>). The + fix will be included in subsequent releases, but can be + applied to 0.30 if desired.</p> + + <p>Credit: This issue was discovered by G. Geshev from MWR + Labs</p> + </div> + </td> + </tr> + + <tr> + <td>CVE-2015-0223</td> + <td>Moderate</td> + <td>0.30 and earlier</td> + <td>0.32 and later</td> + <td>anonymous access to qpidd cannot be prevented + <a id="CVE_2015_0223_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2015_0223_details"> + <p>Description: An attacker can gain access to qpidd as an + anonymous user, even if the ANONYMOUS mechanism is + disallowed.</p> + + <p>Solution: A patch is available + (<a href="https://issues.apache.org/jira/browse/QPID-6325";>QPID-6325</a>) + that addresses this vulnerability. The fix will be included + in subsequent releases, but can be applied to 0.30 if + desired.</p> + + <p>Common Vulnerability Score information: Authorization can + be used to restrict access to broker entities such as queue + and exchanges.</p> + + <p>Credit: This issue was discovered by G. Geshev from MWR + Labs</p> + </div> + </td> + </tr> + + <tr> + <td>CVE-2015-0203</td> + <td>Moderate</td> + <td>0.30 and earlier</td> + <td>0.32 and later</td> + <td>qpidd can be crashed by authenticated user + <a id="CVE_2015_0203_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2015_0203_details"> + <p>Description: Certain unexpected protocol sequences cause + the broker process to crash due to insufficient + checking. Three distinct cases were identified as follows:<br/> + The AMQP 0-10 protocol defines a sequence set containing + id ranges. The qpidd broker can be crashed by sending it a + sequence-set containing an invalid range, where the start of + the range is after the end. This condition causes an + assertion, which causes the broker process to exit.<br/> + The AMQP 0-10 protocol defines header- and body- segments + that may follow certain commands. The only command for which + such segments are expected by qpidd is the message-transfer + command. If another command is sent that includes header + and/or body segments, this will cause a segmentation fault + in the broker process, causing it then to exit.<br/> + The AMQP 0-10 protocol defines a session-gap control that + can be sent on any established session. The qpidd broker + does not support this control and responds with an + appropriate error if requested on an established + session. However, if the control is sent before the session + is opened, the brokers handling causes an assertion which + results in the broker process exiting.</p> + + <p>Solution: A patch is available + (<a href="https://issues.apache.org/jira/browse/QPID-6310";>QPID-6310</a>) + that handles all these errors by sending an exception + control to the remote peer and leave the broker available to + all other users. The fix will be included in subsequent + releases, but can be applied to 0.30 if desired.</p> + + <p>Common Vulnerability Score information: Authentication + can be used to restrict access to the broker. However any + authenticated user would be able to trigger this condition + which could therefore be considered a form of denial of + service.</p> + + <p>Credit: This issue was discovered by G. Geshev from MWR + Labs</p> + </div> + </td> + </tr> + + <tr> + <td>CVE-2014-3629</td> + <td>Low</td> + <td>0.30 and earlier</td> + <td>0.32 and later</td> + <td>qpidd can be induced to make http requests + <a id="CVE_2014_3629_details_toggle" href="javascript:toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2014_3629_details"> + <p>Description: The XML exchange type is an optional, + dynamically loaded module for qpidd that allows creation of + exchanges that route messages based on evaluating an xquery + expression against them.<br/>On parsing a message sent to an + XML exchange, whose body is XML containing a link to a DTD, + the broker process will attempt to retrieve the referenced + resource(s). I.e. the broker process may be induced to make + outgoing HTTP connections by publishing a message containing + links to an XML exchange.</p> + + <p>Solution: + A <a href="https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch";>patch</a> + is available that prevents any retrieval of external + entities referenced in the XML. This will be included in + subsequent releases, but can be applied to 0.30 if + desired.</p> + + <p>Common Vulnerability Score information: If the XML + exchange functionality is not required, the module in + question need not be loaded at all. This can be done either + by moving the module - named xml.so - out of the module + directory, or by setting the --no-module-dir option and + adding an explicit --load-module argument for every required + module.<br/>Where the XML exchange functionality is + required, authorisation may be enabled to prevent all but + trusted users from creating or publishing to xml + exchanges.</p> + + <p>Credit: This issue was discovered by G. Geshev from MWR + Labs</p> + </div> + </td> + </tr> + </tbody> +</table> </section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/79eb6b38/input/components/java-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md index f09e819..8f3ad91 100644 --- a/input/components/java-broker/security.md +++ b/input/components/java-broker/security.md @@ -25,10 +25,92 @@ ### CVEs -| CVE-ID | Severity | Fixed in Version | Description | -| ------------- |:---------:|:-----------------|:------------| -| CVE-2016-3094 | Important | 6.0.3 | Denial of Service. <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_3094_details"><p>Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2</p><p>Description: A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwords being sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an unca ught Exception.<br/>Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on non-TLS ports, but enabled on TLS connections).</p>Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or later. If this is not possible, users can disable the PLAIN mechanism for their authentication manager on versions 0.32 and later by adding "PLAIN" to the list of disabledMechanisms on their authentication provider object.<br/>Note that the SimpleLDAP authentication provider requires PLAIN and so this work around does not apply there.</p><p>Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271";>https://issues.apache.org/jira/browse/QPID-7271</a></p></div> | -| CVE-2016-4432 | Important | 6.0.3 | Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_4432_details"><p>Versions Affected: Qpid Java Broker versions 6.0.2 and earlier</p><p>Description: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. An remote attacker can exploit this vulnerability to perform actions, without the need to specify valid credentials. For instance, unauthorised messages could be injected or messages stolen.<br/>The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts controlled.<br/>The vulnerability does not apply to the Broker's AMQP 1.0 support.<br/>The vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections.</p><p>Resolution: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended).</p><p>Mitigation: If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257";>https://issues.apache.org/jira/browse/QPID-7257</a></p></div> | +<table> + <thead> + <tr> + <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>CVE-2016-4432</td> + <td>Important</td> + <td>6.0.2 and earlier</td> + <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td> + <td> + Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2016_4432_details"> + <p>Versions Affected: Qpid Java Broker versions 6.0.2 and + earlier</p> + <p>Description: The code responsible for handling incoming + AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw + that allows authentication to be bypassed. An remote + attacker can exploit this vulnerability to perform actions, + without the need to specify valid credentials. For + instance, unauthorised messages could be injected or + messages stolen.<br/>The vulnerability cannot be exploited + if the Access Control List (ACL) feature is enabled AND + access to all virtual hosts controlled.<br/>The + vulnerability does not apply to the Broker's AMQP 1.0 + support.<br/>The vulnerability does not apply if the Broker + is configured to require SSL client authentication for all + messaging connections.</p> + <p>Resolution: Users should upgrade the Qpid Java Broker to + version 6.0.3 or later (recommended).</p> + <p>Mitigation: If upgrading is not possible, the + vulnerability can be mitigated using an ACL file containing + "ACCESS VIRTUALHOST" clauses that white-lists user access to + all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 + support is not required, the vulnerability can also be + mitigated by turning off these protocols at the Port + level.</p> + <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257";>QPID-7257</a></p> + </div> + </td> + </tr> + <tr> + <td>CVE-2016-3094</td> + <td>Important</td> + <td>6.0.0, 6.0.1, 6.0.2</td> + <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td> + <td> + Denial of Service. + <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2016_3094_details"> + <p>Versions Affected: Qpid Java Broker versions 6.0.0, + 6.0.1, and 6.0.2</p> + <p>Description: A malformed authentication attempt may cause + the broker to terminate. The Qpid Java Broker supports a + number of configurable authentication providers each + supporting various SASL mechanisms. Some mechanisms need (or + can be configured to accept) plain-text passwords being sent + to the Broker (using the SASL "PLAIN" mechanism). Where the + broker has been configured to allow plain-text passwords for + authentication it is possible for a client to send a + malformed authentication attempt which will lead the broker + to terminate due to an uncaught Exception.<br/> Brokers + configured to use authentication from the + "PlainPasswordFile", "SimpleLDAP", or + "Base64MD5PasswordFile" providers are vulnerable if the + "PLAIN" mechanism is enabled (by default "PLAIN" will be + disabled on non-TLS ports, but enabled on TLS + connections).</p> + <p>Mitigation: Users should upgrade their Qpid Java Broker + to version 6.0.3 or later. If this is not possible, users + can disable the PLAIN mechanism for their authentication + manager on versions 0.32 and later by adding "PLAIN" to the + list of disabledMechanisms on their authentication provider + object.<br/>Note that the SimpleLDAP authentication provider + requires PLAIN and so this work around does not apply + there.</p> + <p>Credit: This issue was discovered by Alex Szczuczko of + Red Hat, Inc.</p> + <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271";>QPID-7271</a></p> + </div> + </td> + </tr> + </tbody> +</table> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
