http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4467.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4467.html b/content/cves/CVE-2016-4467.html new file mode 100644 index 0000000..48a6dc4 --- /dev/null +++ b/content/cves/CVE-2016-4467.html @@ -0,0 +1,207 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>CVE-2016-4467 - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4467</li></ul> + + <div id="-middle-content"> + <h1 id="cve-2016-4467">CVE-2016-4467</h1> + +<h2 id="severity">Severity</h2> + +<p>Medium</p> + +<h2 id="affected-components">Affected components</h2> + +<p>Qpid Proton</p> + +<h2 id="affected-versions">Affected versions</h2> + +<p>0.8 through 0.13.0 inclusive</p> + +<h2 id="fixed-versions">Fixed versions</h2> + +<p>0.13.1 and later</p> + +<h2 id="description">Description</h2> + +<p>Failure to verify that the server host name matches the certificate +host name on Windows.</p> + +<p>Messaging applications using the Proton C library to provide SSL/TLS +authentication on Windows can falsely authenticate a server whose name +does not match the server name in the connection specifier. Proton C +bindings are affected to a greater or lesser degree depending on how +they use the underlying Proton C library.</p> + +<p>In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been +specified as the verification mode and pn_ssl_set_peer_hostname() has +not been called at all or has been called with a NULL value for a +particular pn_ssl_t object.</p> + +<p>In the Proton C++ binding, this will always happen unless the +application has separately specified a virtual_host name for an +SSL/TLS connection.</p> + +<p>In the Proton Python and Ruby bindings, this will only happen if the +application has separately specified a NULL virtual_host name for an +SSL/TLS connection after creating the connection but before the +authentication step.</p> + +<p>This issue only occurs on Windows versions of Proton that use the +default SChannel-based security layer.</p> + +<p>In any of the preceding cases, it is possible for a man-in-the-middle +attacker to spoof an SSL/TLS server if they had a certificate that was +valid for any of the application's Certificate Authorities.</p> + +<h2 id="resolution">Resolution</h2> + +<p>Proton release 0.13.1 resolves this issue in the SChannel-based +security layer by obtaining a default non-NULL peer hostname from the +associated connection address when initialized and by always failing +hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified +along with a NULL peer hostname. This resolution matches the +associated behaviour of the OpenSSL-based security layer.</p> + +<h2 id="references">References</h2> + +<p><a href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a> and +<a href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a></p> + + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4974.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4974.html b/content/cves/CVE-2016-4974.html new file mode 100644 index 0000000..0f13648 --- /dev/null +++ b/content/cves/CVE-2016-4974.html @@ -0,0 +1,196 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>CVE-2016-4974 - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4974</li></ul> + + <div id="-middle-content"> + <h1 id="cve-2016-4974">CVE-2016-4974</h1> + +<h2 id="severity">Severity</h2> + +<p>Moderate</p> + +<h2 id="affected-components">Affected components</h2> + +<p>Qpid JMS</p> + +<h2 id="affected-versions">Affected versions</h2> + +<p>0.9.0 and earlier</p> + +<h2 id="fixed-versions">Fixed versions</h2> + +<p>0.10.0 and later</p> + +<h2 id="description">Description</h2> + +<p>Deserialization of untrusted input while using JMS ObjectMessage.</p> + +<p>When applications call getObject() on a consumed JMS ObjectMessage +they are subject to the behaviour of any object deserialization during +the process of constructing the body to return. Unless the application +has taken outside steps to limit the deserialization process, they +can't protect against input that might try to make undesired use of +classes available on the application classpath that might be +vulnerable to exploitation. In order to exploit this vulnerability, an +attacker would need to be able to inject a suitably crafted AMQP +message containing the malicious JMS Object Message into the AMQP +message network. For this, the attacker would require valid +authentication credentials and suitable authorisation.</p> + +<h2 id="mitigation">Mitigation</h2> + +<p>Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or +later, and use the new configuration options to whitelist trusted +content permitted for deserialization. When so configured, attempts to +deserialize input containing other content will be +prevented. Alternatively, users of older client releases may utilise +other means such as agent-based approaches to help govern content +permitted for deserialization in their application.</p> + +<h2 id="credit">Credit</h2> + +<p>This issue was discovered by Matthias Kaiser of Code White +(www.code-white.com).</p> + +<h2 id="references">References</h2> + +<p><a href="https://issues.apache.org/jira/browse/QPIDJMS-188">QPIDJMS-188</a></p> + + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-8741.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-8741.html b/content/cves/CVE-2016-8741.html new file mode 100644 index 0000000..6835235 --- /dev/null +++ b/content/cves/CVE-2016-8741.html @@ -0,0 +1,191 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>CVE-2016-8741 - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-8741</li></ul> + + <div id="-middle-content"> + <h1 id="cve-2016-8741">CVE-2016-8741</h1> + +<h2 id="severity">Severity</h2> + +<p>Moderate</p> + +<h2 id="affected-components">Affected components</h2> + +<p>Qpid Broker for Java</p> + +<h2 id="affected-versions">Affected versions</h2> + +<p>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p> + +<h2 id="fixed-versions">Fixed versions</h2> + +<p><a href="/releases/qpid-java-6.0.6/index.html">6.0.6</a>, <a href="/releases/qpid-java-6.1.1/index.html">6.1.1</a></p> + +<h2 id="description">Description</h2> + +<p>Information Leakage.</p> + +<p>The Qpid Broker for Java can be configured to use different so called +AuthenticationProviders to handle user authentication. Among the +choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider +types.</p> + +<p>It was discovered that these AuthenticationProviders prematurely +terminate the SCRAM SASL negotiation if the provided user name does +not exist thus allowing remote attacker to determine the existence of +user accounts.</p> + +<p>The Vulnerability does not apply to AuthenticationProviders other than +SCRAM-SHA-1 and SCRAM-SHA-256.</p> + +<h2 id="mitigation">Mitigation</h2> + +<p>Users should upgrade the Qpid Broker for Java to version 6.0.6, +6.1.1, or later (recommended).</p> + +<p>If upgrading is not possible, the vulnerability can be mitigated by +using an AuthenticationProvider other than SCRAM-SHA-1 and +SCRAM-SHA-256.</p> + +<h2 id="references">References</h2> + +<p><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p> + + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/template.html ---------------------------------------------------------------------- diff --git a/content/cves/template.html b/content/cves/template.html new file mode 100644 index 0000000..31e5664 --- /dev/null +++ b/content/cves/template.html @@ -0,0 +1,167 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>CVE-YYYY-NNNN - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-YYYY-NNNN</li></ul> + + <div id="-middle-content"> + <h1 id="cve-yyyy-nnnn">CVE-YYYY-NNNN</h1> + +<h2 id="severity">Severity</h2> + +<p>Important +Moderate +Low</p> + +<h2 id="affected-components">Affected components</h2> + +<h2 id="affected-versions">Affected versions</h2> + +<h2 id="fixed-versions">Fixed versions</h2> + +<h2 id="description">Description</h2> + +<h2 id="resolution">Resolution</h2> + +<h2 id="mitigation">Mitigation</h2> + +<h2 id="credit">Credit</h2> + +<h2 id="references">References</h2> + + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/index.html ---------------------------------------------------------------------- diff --git a/content/proton/index.html b/content/proton/index.html index 2513ad4..23d001b 100644 --- a/content/proton/index.html +++ b/content/proton/index.html @@ -202,6 +202,7 @@ platform, environment, or language. More about <h2 id="resources">Resources</h2> <ul> +<li><a href="security.html">Security</a></li> <li><a href="submitting-patches.html">Contributing to Proton</a></li> <li><a href="messenger.html">Proton Messenger</a></li> <li><a href="https://cwiki.apache.org/confluence/display/qpid/proton">Proton wiki pages</a></li> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/security.html ---------------------------------------------------------------------- diff --git a/content/proton/security.html b/content/proton/security.html index 3a5114d..57adb61 100644 --- a/content/proton/security.html +++ b/content/proton/security.html @@ -116,123 +116,36 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <div id="-middle-content"> <h1 id="security">Security</h1> -<section> - -<h2 id="proton">Proton</h2> - <table> - <thead> - <tr> - <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> - </tr> - </thead> - <tbody> - <tr> - <td>CVE-2016-4467</td> - <td>Medium</td> - <td>0.8 through 0.13.0 (inclusive)</td> - <td>0.13.1 and later</td> - <td>Failure to verify that the server host name matches the certificate host name on Windows - <a id="CVE_2016_4467_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4467_details', controlId:'CVE_2016_4467_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2016_4467_details"> - - <p>Messaging applications using the Proton C library to - provide SSL/TLS authentication on Windows can falsely - authenticate a server whose name does not match the server - name in the connection specifier. Proton C bindings are - affected to a greater or lesser degree depending on how - they use the underlying Proton C library.</p> - - <p>In Proton C, this can only happen if - PN_SSL_VERIFY_PEER_NAME has been specified as the - verification mode and pn_ssl_set_peer_hostname() has not - been called at all or has been called with a NULL value for - a particular pn_ssl_t object.</p> - - <p>In the Proton C++ binding, this will always happen unless - the application has separately specified a virtual_host name - for an SSL/TLS connection.</p> - - <p>In the Proton Python and Ruby bindings, this will only - happen if the application has separately specified a NULL - virtual_host name for an SSL/TLS connection after creating - the connection but before the authentication step.</p> - - <p>This issue only occurs on Windows versions of Proton that - use the default SChannel-based security layer.</p> - - <p>In any of the preceding cases, it is possible for a - man-in-the-middle attacker to spoof an SSL/TLS server if - they had a certificate that was valid for any of the - application's Certificate Authorities.</p> - - <p>Resolution: Proton release 0.13.1 resolves this issue in - the SChannel-based security layer by obtaining a default - non-NULL peer hostname from the associated connection - address when initialized and by always failing hostname - verification if PN_SSL_VERIFY_PEER_NAME has been specified - along with a NULL peer hostname. This resolution matches - the associated behaviour of the OpenSSL-based security - layer.</p> - - <p>References: <a - href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a> - and <a - href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a>.</p> - </div> - </td> - </tr> - <tr> - <td>CVE-2016-2166</td> - <td>Moderate</td> - <td>0.9 through 0.12.0 (inclusive)</td> - <td>0.12.1 and later</td> - <td> - Python bindings silently ignore request for amqps if SSL/TLS not supported. <a id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details', controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2016_2166_details"> - <p>Versions Affected: Apache Qpid Proton python API starting - at 0.9 up to and including version 0.12.0.</p> - <p>Description: Messaging applications using the Proton - Python API to provision an SSL/TLS encrypted TCP connection - may actually instantiate a non-encrypted connection without - notice if SSL support is unavailable. This will result in - all messages being sent in the clear without the knowledge - of the user.<br/> This issue affects those applications - that use the Proton Reactor Python API to create SSL/TLS - connections. Specifically the proton.reactor.Connector, - proton.reactor.Container, and - proton.utils.BlockingConnection classes are vulnerable. - These classes can create an unencrypted connections if the - "amqps://" URL prefix is used.<br/> The issue only occurs - if the installed Proton libraries do not support SSL. This - would be the case if the libraries were built without SSL - support or the necessary SSL libraries are not present on - the system (e.g. OpenSSL in the case of *nix).<br/> To - check whether or not the Python API provides SSL support, - use the following console command:<br/>python -c "import - proton; print('%s' % 'SSL present' if proton.SSL.present() - else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can - only occur if both ends of the connection connect without - SSL. This would be the case if the vulnerability is active - on both ends of the connection, or the non-affected endpoint - allows cleartext connections.</p> - <p>Resolution: Proton release 0.12.1 resolves this issue by - raising an SSLUnavailable exception when SSL is not - available and a SSL/TLS connection is requested via the - "amqps://" URL - prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157">patch</a> - is also available.</p> - <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p> - <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p> - </div> - </td> - </tr> - </tbody> +<thead> +<tr> + <th>CVE-ID</th> + <th>Severity</th> + <th>Affected versions</th> + <th>Fixed versions</th> + <th>Summary</th> +</tr> +</thead> +<tbody> +<tr> + <td><a href="/cves/CVE-2016-4467.html">CVE-2016-4467</a></td> + <td>Medium</td> + <td>0.8 through 0.13.0 inclusive</td> + <td>0.13.1 and later</td> + <td>Failure to verify that the server host name matches the certificate host name on Windows</td> +</tr> +<tr> + <td><a href="/cves/CVE-2016-2166.html">CVE-2016-2166</a></td> + <td>Moderate</td> + <td>0.9 through 0.12.0 inclusive</td> + <td>0.12.1 and later</td> + <td>Python bindings silently ignore request for amqps if SSL/TLS not supported</td> +</tr> +</tbody> </table> -</section> - -<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p> +<p>See the main <a href="/security.html">Security</a> page for general +information and details for other components.</p> <hr/> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/security.html ---------------------------------------------------------------------- diff --git a/content/security.html b/content/security.html index e25e041..52e7661 100644 --- a/content/security.html +++ b/content/security.html @@ -118,7 +118,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <section> -<h2 id="security-updates">Security Updates</h2> +<h2 id="security-updates">Security updates</h2> <p>Details of security problems fixed in released versions of individual Apache Qpid components are detailed at:</p> @@ -129,7 +129,7 @@ Qpid components are detailed at:</p> <ul> <li><a href="/components/java-broker/security.html">Broker for Java</a></li> -<li><a href="/components/cpp-broker/security.html">C++ Broker</a></li> +<li><a href="/components/cpp-broker/security.html">C++ broker</a></li> </ul> </section> @@ -137,8 +137,7 @@ Qpid components are detailed at:</p> <section> <ul> -<li><a href="/components/jms/security.html">JMS Client (AMQP 1.0)</a></li> -<li><a href="/components/jms/security-0-x.html">JMS Client (AMQP 0.x)</a></li> +<li><a href="/components/jms/security.html">JMS client</a></li> <li><a href="/proton/security.html">Proton</a></li> </ul> @@ -150,7 +149,7 @@ Qpid components are detailed at:</p> <section> -<h2 id="reporting-new-security-problems-with-apache-qpid">Reporting New Security Problems with Apache Qpid</h2> +<h2 id="reporting-new-security-problems-with-apache-qpid">Reporting new security problems with Apache Qpid</h2> <p>We take a very active stance in eliminating security problems and denial of service attacks against Apache Qpid.</p> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/cpp-broker/index.md ---------------------------------------------------------------------- diff --git a/input/components/cpp-broker/index.md b/input/components/cpp-broker/index.md index c0bbd7d..78bab7d 100644 --- a/input/components/cpp-broker/index.md +++ b/input/components/cpp-broker/index.md @@ -90,6 +90,7 @@ that stores, routes, and forwards messages using AMQP. ## Resources + - [Security](security.html) - [Qpid extensions to AMQP](https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp) </div> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/cpp-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md index c705fb5..cfa9d3b 100644 --- a/input/components/cpp-broker/security.md +++ b/input/components/cpp-broker/security.md @@ -19,173 +19,12 @@ # Security -<section markdown="1"> - -## C++ Broker - -<table> - <thead> - <tr> - <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> - </tr> - </thead> - <tbody> - <tr> - <td>CVE-2015-0224</td> - <td>Moderate</td> - <td>0.30 and earlier</td> - <td>0.32 and later</td> - <td>qpidd can be crashed by unauthenticated user - <a id="CVE_2015_0224_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2015_0224_details"> - <p>Description: In CVE-2015-0203 it was announced that - certain unexpected protocol sequences cause the broker - process to crash due to insufficient checking, but that - authentication could be used to restrict the exploitation - of this vulnerability.<br/> It has now been discovered - that in fact failing authentication does not necessarily - prevent exploitation of those reported - vulnerabilities.<br/> Further, it was stated that one of - the specific vulnerabilities was that the qpidd broker can - be crashed by sending it a sequence-set containing an - invalid range, where the start of the range is after the - end. This was an incorrect analysis of the vulnerability, - which is in fact caused by a sequence-set containing a - single range expressing the maximum possible gap.</p> - - <p>Solution: A further patch is available that handles a - range expressing the maximum possible gap without assertion - (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>). The - fix will be included in subsequent releases, but can be - applied to 0.30 if desired.</p> - - <p>Credit: This issue was discovered by G. Geshev from MWR - Labs</p> - </div> - </td> - </tr> - - <tr> - <td>CVE-2015-0223</td> - <td>Moderate</td> - <td>0.30 and earlier</td> - <td>0.32 and later</td> - <td>anonymous access to qpidd cannot be prevented - <a id="CVE_2015_0223_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2015_0223_details"> - <p>Description: An attacker can gain access to qpidd as an - anonymous user, even if the ANONYMOUS mechanism is - disallowed.</p> - - <p>Solution: A patch is available - (<a href="https://issues.apache.org/jira/browse/QPID-6325">QPID-6325</a>) - that addresses this vulnerability. The fix will be included - in subsequent releases, but can be applied to 0.30 if - desired.</p> - - <p>Common Vulnerability Score information: Authorization can - be used to restrict access to broker entities such as queue - and exchanges.</p> - - <p>Credit: This issue was discovered by G. Geshev from MWR - Labs</p> - </div> - </td> - </tr> - - <tr> - <td>CVE-2015-0203</td> - <td>Moderate</td> - <td>0.30 and earlier</td> - <td>0.32 and later</td> - <td>qpidd can be crashed by authenticated user - <a id="CVE_2015_0203_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2015_0203_details"> - <p>Description: Certain unexpected protocol sequences cause - the broker process to crash due to insufficient - checking. Three distinct cases were identified as follows:<br/> - The AMQP 0-10 protocol defines a sequence set containing - id ranges. The qpidd broker can be crashed by sending it a - sequence-set containing an invalid range, where the start of - the range is after the end. This condition causes an - assertion, which causes the broker process to exit.<br/> - The AMQP 0-10 protocol defines header- and body- segments - that may follow certain commands. The only command for which - such segments are expected by qpidd is the message-transfer - command. If another command is sent that includes header - and/or body segments, this will cause a segmentation fault - in the broker process, causing it then to exit.<br/> - The AMQP 0-10 protocol defines a session-gap control that - can be sent on any established session. The qpidd broker - does not support this control and responds with an - appropriate error if requested on an established - session. However, if the control is sent before the session - is opened, the brokers handling causes an assertion which - results in the broker process exiting.</p> - - <p>Solution: A patch is available - (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>) - that handles all these errors by sending an exception - control to the remote peer and leave the broker available to - all other users. The fix will be included in subsequent - releases, but can be applied to 0.30 if desired.</p> - - <p>Common Vulnerability Score information: Authentication - can be used to restrict access to the broker. However any - authenticated user would be able to trigger this condition - which could therefore be considered a form of denial of - service.</p> - - <p>Credit: This issue was discovered by G. Geshev from MWR - Labs</p> - </div> - </td> - </tr> - - <tr> - <td>CVE-2014-3629</td> - <td>Low</td> - <td>0.30 and earlier</td> - <td>0.32 and later</td> - <td>qpidd can be induced to make http requests - <a id="CVE_2014_3629_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2014_3629_details"> - <p>Description: The XML exchange type is an optional, - dynamically loaded module for qpidd that allows creation of - exchanges that route messages based on evaluating an xquery - expression against them.<br/>On parsing a message sent to an - XML exchange, whose body is XML containing a link to a DTD, - the broker process will attempt to retrieve the referenced - resource(s). I.e. the broker process may be induced to make - outgoing HTTP connections by publishing a message containing - links to an XML exchange.</p> - - <p>Solution: - A <a href="https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch">patch</a> - is available that prevents any retrieval of external - entities referenced in the XML. This will be included in - subsequent releases, but can be applied to 0.30 if - desired.</p> - - <p>Common Vulnerability Score information: If the XML - exchange functionality is not required, the module in - question need not be loaded at all. This can be done either - by moving the module - named xml.so - out of the module - directory, or by setting the --no-module-dir option and - adding an explicit --load-module argument for every required - module.<br/>Where the XML exchange functionality is - required, authorisation may be enabled to prevent all but - trusted users from creating or publishing to xml - exchanges.</p> - - <p>Credit: This issue was discovered by G. Geshev from MWR - Labs</p> - </div> - </td> - </tr> - </tbody> -</table> - -</section> - -See the main [Security]({{site_url}}/security.html) page for general information and details for other components. +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2015-0224]({{site_url}}/cves/CVE-2015-0224.html) | Moderate | 0.30 and earlier | 0.32 and later | Qpidd can be crashed by an unauthenticated user | +| [CVE-2015-0223]({{site_url}}/cves/CVE-2015-0223.html) | Moderate | 0.30 and earlier | 0.32 and later | Anonymous access to qpidd cannot be prevented | +| [CVE-2015-0203]({{site_url}}/cves/CVE-2015-0203.html) | Moderate | 0.30 and earlier | 0.32 and later | Qpidd can be crashed by an authenticated user | +| [CVE-2014-3629]({{site_url}}/cves/CVE-2014-3629.html) | Low | 0.30 and earlier | 0.32 and later | Qpidd can be induced to make HTTP requests | + +See the main [Security]({{site_url}}/security.html) page for general +information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/java-broker/index.md ---------------------------------------------------------------------- diff --git a/input/components/java-broker/index.md b/input/components/java-broker/index.md index 53447cc..5ad92ae 100644 --- a/input/components/java-broker/index.md +++ b/input/components/java-broker/index.md @@ -86,6 +86,7 @@ that stores, routes, and forwards messages using AMQP. ## Resources + - [Security](security.html) - [FAQ](https://cwiki.apache.org/confluence/display/qpid/qpid+java+faq) - [Design documents](https://cwiki.apache.org/confluence/display/qpid/java+broker+design) - [Qpid extensions to AMQP](https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/java-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md index 776e4db..e34759b 100644 --- a/input/components/java-broker/security.md +++ b/input/components/java-broker/security.md @@ -19,130 +19,11 @@ # Security -<section markdown="1"> - -## Broker for Java - -<table> - <thead> - <tr> - <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> - </tr> - </thead> - <tbody> - <tr> - <td>CVE-2016-4432</td> - <td>Important</td> - <td>6.0.2 and earlier</td> - <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td> - <td> - Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2016_4432_details"> - <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.2 and - earlier</p> - <p>Description: The code responsible for handling incoming - AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw - that allows authentication to be bypassed. An remote - attacker can exploit this vulnerability to perform actions, - without the need to specify valid credentials. For - instance, unauthorised messages could be injected or - messages stolen.<br/>The vulnerability cannot be exploited - if the Access Control List (ACL) feature is enabled AND - access to all virtual hosts controlled.<br/>The - vulnerability does not apply to the Broker's AMQP 1.0 - support.<br/>The vulnerability does not apply if the Broker - is configured to require SSL client authentication for all - messaging connections.</p> - <p>Resolution: Users should upgrade the Apache Qpid Broker for Java to - version 6.0.3 or later (recommended).</p> - <p>Mitigation: If upgrading is not possible, the - vulnerability can be mitigated using an ACL file containing - "ACCESS VIRTUALHOST" clauses that white-lists user access to - all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 - support is not required, the vulnerability can also be - mitigated by turning off these protocols at the Port - level.</p> - <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p> - </div> - </td> - </tr> - - <tr> - <td>CVE-2016-3094</td> - <td>Important</td> - <td>6.0.0, 6.0.1, 6.0.2</td> - <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td> - <td> - Denial of Service. - <a id="CVE_2016_3094_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE_2016_3094_details"> - <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.0, - 6.0.1, and 6.0.2</p> - <p>Description: A malformed authentication attempt may cause - the broker to terminate. The Apache Qpid Broker for Java supports a - number of configurable authentication providers each - supporting various SASL mechanisms. Some mechanisms need (or - can be configured to accept) plain-text passwords being sent - to the Broker (using the SASL "PLAIN" mechanism). Where the - broker has been configured to allow plain-text passwords for - authentication it is possible for a client to send a - malformed authentication attempt which will lead the broker - to terminate due to an uncaught Exception.<br/> Brokers - configured to use authentication from the - "PlainPasswordFile", "SimpleLDAP", or - "Base64MD5PasswordFile" providers are vulnerable if the - "PLAIN" mechanism is enabled (by default "PLAIN" will be - disabled on non-TLS ports, but enabled on TLS - connections).</p> - <p>Mitigation: Users should upgrade their Apache Qpid Broker for Java - to version 6.0.3 or later. If this is not possible, users - can disable the PLAIN mechanism for their authentication - manager on versions 0.32 and later by adding "PLAIN" to the - list of disabledMechanisms on their authentication provider - object.<br/>Note that the SimpleLDAP authentication provider - requires PLAIN and so this work around does not apply - there.</p> - <p>Credit: This issue was discovered by Alex Szczuczko of - Red Hat, Inc.</p> - <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p> - </div> - </td> - </tr> - <tr> - <td>CVE-2016-8741</td> - <td>Moderate</td> - <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td> - <td><a href="{{site_url}}/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="{{site_url}}/releases/qpid-java-6.1.1/">6.1.1</a></td> - <td> - Information Leakage. - <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE-2016-8741_details"> - <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1, - 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p> - <p>Description: The Qpid Broker for Java can be configured to use different so - called AuthenticationProviders to handle user authentication.<br/> - Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 - AuthenticationProvider types. - - It was discovered that these AuthenticationProviders prematurely - terminate the SCRAM SASL negotiation if the provided user name - does not exist thus allowing remote attacker to determine the - existence of user accounts.<br/> - - The Vulnerability does not apply to AuthenticationProviders other - than SCRAM-SHA-1 and SCRAM-SHA-256.</p> - <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6, - 6.1.1, or later (recommended). - If upgrading is not possible, the vulnerability can be mitigated - by using an AuthenticationProvider other than SCRAM-SHA-1 and - SCRAM-SHA-256. </p> - <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p> - </div> - </td> - </tr> - </tbody> -</table> - -</section> - -See the main [Security]({{site_url}}/security.html) page for general information and details for other components. +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2016-3094]({{site_url}}/cves/CVE-2016-3094.html) | Important | 6.0.0, 6.0.1, and 6.0.2 | 6.0.3 | Denial of service | +| [CVE-2016-4432]({{site_url}}/cves/CVE-2016-4432.html) | Important | 6.0.2 and earlier | 6.0.3 | Authentication bypass | +| [CVE-2016-8741]({{site_url}}/cves/CVE-2016-8741.html) | Moderate | 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0 | 6.0.6, 6.1.1 | Information leakage | + +See the main [security]({{site_url}}/security.html) page for general +information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/amqp-0-x.md ---------------------------------------------------------------------- diff --git a/input/components/jms/amqp-0-x.md b/input/components/jms/amqp-0-x.md index f31bc1c..74f271f 100644 --- a/input/components/jms/amqp-0-x.md +++ b/input/components/jms/amqp-0-x.md @@ -40,3 +40,7 @@ The client is also available [via Maven]({{site_url}}/maven.html). - [Browse via GitHub](https://github.com/apache/qpid-jms-amqp-0-x) - [Git clone URL](https://git-wip-us.apache.org/repos/asf/qpid-jms-amqp-0-x.git) + +## Resources + + - [Security](security.html) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/index.md ---------------------------------------------------------------------- diff --git a/input/components/jms/index.md b/input/components/jms/index.md index 494be4a..6df665f 100644 --- a/input/components/jms/index.md +++ b/input/components/jms/index.md @@ -80,6 +80,7 @@ For details about the AMQP 0-x JMS client, look [here](amqp-0-x.html). ## Resources + - [Security](security.html) - [AMQP 0-x JMS Client](amqp-0-x.html) </div> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/security-0-x.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md deleted file mode 100644 index cc491f5..0000000 --- a/input/components/jms/security-0-x.md +++ /dev/null @@ -1,72 +0,0 @@ -;; -;; Licensed to the Apache Software Foundation (ASF) under one -;; or more contributor license agreements. See the NOTICE file -;; distributed with this work for additional information -;; regarding copyright ownership. The ASF licenses this file -;; to you under the Apache License, Version 2.0 (the -;; "License"); you may not use this file except in compliance -;; with the License. You may obtain a copy of the License at -;; -;; http://www.apache.org/licenses/LICENSE-2.0 -;; -;; Unless required by applicable law or agreed to in writing, -;; software distributed under the License is distributed on an -;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -;; KIND, either express or implied. See the License for the -;; specific language governing permissions and limitations -;; under the License. -;; - -# Security - -<section markdown="1"> - -## AMQP 0-x JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10) - -<table> - <thead> - <tr> - <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> - </tr> - </thead> - <tbody> - <tr> - <td>CVE-2016-4974</td> - <td>Moderate</td> - <td>6.0.3 and earlier</td> - <td>6.0.4 and later</a></td> - <td> - Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE-2016-4974_details"> - <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are - subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside - steps to limit the deserialization process, they can't protect against - input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation. - In order to exploit this vulnerability, an attacker would need - to be able to inject a suitably crafted AMQP message containing the - malicious JMS Object Message into the AMQP message network. For this, - the attacker would require valid authentication credentials and - suitable authorisation.</p> - - <p> Mitigation: Users using ObjectMessage can upgrade to Qpid - AMQP 0-x JMS client 6.0.4 or or later, and use the new - configuration options to whitelist trusted content permitted for - deserialization. When so configured, attempts to deserialize input - containing other content will be prevented. Alternatively, users of older - client releases may utilise other means such as agent-based approaches to help - govern content permitted for deserialization in their application.</p> - - <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p> - - <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7323">QPID-7323</a></p> - </div> - </td> - </tr> - </tbody> -</table> - -</section> - -See the main [Security]({{site_url}}/security.html) page for general information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/security.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security.md b/input/components/jms/security.md index d201737..aea2c25 100644 --- a/input/components/jms/security.md +++ b/input/components/jms/security.md @@ -19,54 +19,17 @@ # Security -<section markdown="1"> +## AMQP 1.0 JMS -## JMS Client (AMQP 1.0) +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage | -<table> - <thead> - <tr> - <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> - </tr> - </thead> - <tbody> - <tr> - <td>CVE-2016-4974</td> - <td>Moderate</td> - <td>0.9.0 and earlier</td> - <td>0.10.0 and later</a></td> - <td> - Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> - <div style="display:none;" id="CVE-2016-4974_details"> - <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are - subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside - steps to limit the deserialization process, they can't protect against - input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation. - In order to exploit this vulnerability, an attacker would need - to be able to inject a suitably crafted AMQP message containing the - malicious JMS Object Message into the AMQP message network. For this, - the attacker would require valid authentication credentials and - suitable authorisation.</p> +## AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10) - <p> Mitigation: Users using ObjectMessage can upgrade to - Qpid JMS client 0.10.0 or later, and use the new - configuration options to whitelist trusted content permitted for - deserialization. When so configured, attempts to deserialize input - containing other content will be prevented. Alternatively, users of older - client releases may utilise other means such as agent-based approaches to help - govern content permitted for deserialization in their application.</p> +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage | - <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p> - - <p>References: <a href="https://issues.apache.org/jira/browse/QPIDJMS-188">QPIDJMS-188</a></p> - </div> - </td> - </tr> - </tbody> -</table> - -</section> - -See the main [Security]({{site_url}}/security.html) page for general information and details for other components. +See the main [Security]({{site_url}}/security.html) page for general +information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2014-3629.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2014-3629.md b/input/cves/CVE-2014-3629.md new file mode 100644 index 0000000..a245dfe --- /dev/null +++ b/input/cves/CVE-2014-3629.md @@ -0,0 +1,53 @@ +# CVE-2014-3629 + +## Severity + +Low + +## Affected components + +Qpid C++ broker + +## Affected versions + +0.30 and earlier + +## Fixed versions + +0.32 and later + +## Description + +Qpidd can be induced to make http requests. + +The XML exchange type is an optional, dynamically loaded module for +qpidd that allows creation of exchanges that route messages based on +evaluating an xquery expression against them. + +On parsing a message sent to an XML exchange, whose body is XML +containing a link to a DTD, the broker process will attempt to +retrieve the referenced resource(s). I.e. the broker process may be +induced to make outgoing HTTP connections by publishing a message +containing links to an XML exchange. + +## Resolution + +A patch is available that prevents any retrieval of external entities +referenced in the XML. This will be included in subsequent releases, +but can be applied to 0.30 if desired. + +## Mitigation + +If the XML exchange functionality is not required, the module in +question need not be loaded at all. This can be done either by moving +the module - named xml.so - out of the module directory, or by setting +the --no-module-dir option and adding an explicit --load-module +argument for every required module. + +Where the XML exchange functionality is required, authorisation may be +enabled to prevent all but trusted users from creating or publishing +to xml exchanges. + +## Credit + +This issue was discovered by G. Geshev from MWR Labs. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0203.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2015-0203.md b/input/cves/CVE-2015-0203.md new file mode 100644 index 0000000..e9d9eb3 --- /dev/null +++ b/input/cves/CVE-2015-0203.md @@ -0,0 +1,64 @@ +# CVE-2015-0203 + +## Severity + +Moderate + +## Affected components + +Qpid C++ broker + +## Affected versions + +0.30 and earlier + +## Fixed versions + +0.32 and later + +## Description + +Qpidd can be crashed by an authenticated user. + +Certain unexpected protocol sequences cause the broker process to +crash due to insufficient checking. Three distinct cases were +identified as follows: + + - The AMQP 0-10 protocol defines a sequence set containing id + ranges. The qpidd broker can be crashed by sending it a + sequence-set containing an invalid range, where the start of the + range is after the end. This condition causes an assertion, which + causes the broker process to exit. + + - The AMQP 0-10 protocol defines header- and body- segments that may + follow certain commands. The only command for which such segments + are expected by qpidd is the message-transfer command. If another + command is sent that includes header and/or body segments, this + will cause a segmentation fault in the broker process, causing it + then to exit. + + - The AMQP 0-10 protocol defines a session-gap control that can be + sent on any established session. The qpidd broker does not support + this control and responds with an appropriate error if requested on + an established session. However, if the control is sent before the + session is opened, the brokers handling causes an assertion which + results in the broker process exiting. + +Authentication can be used to restrict access to the broker. However +any authenticated user would be able to trigger this condition which +could therefore be considered a form of denial of service. + +## Resolution + +A patch is available (QPID-6310) that handles all these errors by +sending an exception control to the remote peer and leave the broker +available to all other users. The fix will be included in subsequent +releases, but can be applied to 0.30 if desired. + +## Credit + +This issue was discovered by G. Geshev from MWR Labs. + +## References + +[QPID-6310](https://issues.apache.org/jira/browse/QPID-6310) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0223.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2015-0223.md b/input/cves/CVE-2015-0223.md new file mode 100644 index 0000000..fb8b442 --- /dev/null +++ b/input/cves/CVE-2015-0223.md @@ -0,0 +1,43 @@ +# CVE-2015-0233 + +## Severity + +Moderate + +## Affected components + +Qpid C++ broker + +## Affected versions + +0.30 and earlier + +## Fixed versions + +0.32 and later + +## Description + +Anonymous access to qpidd cannot be prevented. + +An attacker can gain access to qpidd as an anonymous user, even if the +ANONYMOUS mechanism is disallowed. + +## Resolution + +A patch is available (QPID-6325) that addresses this +vulnerability. The fix will be included in subsequent releases, but +can be applied to 0.30 if desired. + +## Mitigation + +Authorization can be used to restrict access to broker entities such +as queue and exchanges. + +## Credit + +This issue was discovered by G. Geshev from MWR Labs. + +## References + +[QPID-6325](https://issues.apache.org/jira/browse/QPID-6325) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0224.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2015-0224.md b/input/cves/CVE-2015-0224.md new file mode 100644 index 0000000..fd5f06a --- /dev/null +++ b/input/cves/CVE-2015-0224.md @@ -0,0 +1,52 @@ +# CVE-2015-0224 + +## Severity + +Moderate + +## Affected components + +Qpid C++ broker + +## Affected versions + +0.30 and earlier + +## Fixed versions + +0.32 and later + +## Description + +Qpidd can be crashed by unauthenticated user. + +In CVE-2015-0203 it was announced that certain unexpected protocol +sequences cause the broker process to crash due to insufficient +checking, but that authentication could be used to restrict the +exploitation of this vulnerability. + +It has now been discovered that in fact failing authentication does +not necessarily prevent exploitation of those reported +vulnerabilities. + +Further, it was stated that one of the specific vulnerabilities was +that the qpidd broker can be crashed by sending it a sequence-set +containing an invalid range, where the start of the range is after the +end. This was an incorrect analysis of the vulnerability, which is in +fact caused by a sequence-set containing a single range expressing the +maximum possible gap. + +## Resolution + +A further patch is available that handles a range expressing the +maximum possible gap without assertion (QPID-6310). The fix will be +included in subsequent releases, but can be applied to 0.30 if +desired. + +## Credit + +This issue was discovered by G. Geshev from MWR Labs. + +## References + +[QPID-6310](https://issues.apache.org/jira/browse/QPID-6310) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-2166.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-2166.md b/input/cves/CVE-2016-2166.md new file mode 100644 index 0000000..5c68c91 --- /dev/null +++ b/input/cves/CVE-2016-2166.md @@ -0,0 +1,66 @@ +# CVE-2016-2166 + +## Severity + +Moderate + +## Affected components + +Qpid Proton + +## Affected versions + +0.9 through 0.12.0 inclusive + +## Fixed versions + +0.12.1 and later + +## Description + +Python bindings silently ignore request for amqps if SSL/TLS not +supported. + +Messaging applications using the Proton Python API to provision an +SSL/TLS encrypted TCP connection may actually instantiate a +non-encrypted connection without notice if SSL support is +unavailable. This will result in all messages being sent in the clear +without the knowledge of the user. + +This issue affects those applications that use the Proton Reactor +Python API to create SSL/TLS connections. Specifically the +proton.reactor.Connector, proton.reactor.Container, and +proton.utils.BlockingConnection classes are vulnerable. These classes +can create an unencrypted connections if the "amqps://" URL prefix is +used. + +The issue only occurs if the installed Proton libraries do not support +SSL. This would be the case if the libraries were built without SSL +support or the necessary SSL libraries are not present on the system +(e.g. OpenSSL in the case of *nix). + +To check whether or not the Python API provides SSL support, use the +following console command: + + python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')" + +In addition, the issue can only occur if both ends of the connection +connect without SSL. This would be the case if the vulnerability is +active on both ends of the connection, or the non-affected endpoint +allows cleartext connections. + +## Resolution + +Proton release 0.12.1 resolves this issue by raising an SSLUnavailable +exception when SSL is not available and a SSL/TLS connection is +requested via the "amqps://" URL prefix. + +A patch is also available. + +## Credit + +This issue was discovered by M. Farrellee from Red Hat. + +## References + +[PROTON-1157](https://issues.apache.org/jira/browse/PROTON-1157) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-3094.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-3094.md b/input/cves/CVE-2016-3094.md new file mode 100644 index 0000000..fa20122 --- /dev/null +++ b/input/cves/CVE-2016-3094.md @@ -0,0 +1,55 @@ +# CVE-2016-3094 + +## Severity + +Important + +## Affected components + +Broker for Java + +## Affected versions + +6.0.0, 6.0.1, and 6.0.2 + +## Fixed versions + +[6.0.3]({{site_url}}/releases/qpid-java-6.0.3/index.html) + +## Description + +Denial of Service. + +A malformed authentication attempt may cause the broker to terminate. +The Apache Qpid Broker for Java supports a number of configurable +authentication providers each supporting various SASL mechanisms. Some +mechanisms need (or can be configured to accept) plain-text passwords +being sent to the Broker (using the SASL "PLAIN" mechanism). Where +the broker has been configured to allow plain-text passwords for +authentication it is possible for a client to send a malformed +authentication attempt which will lead the broker to terminate due to +an uncaught Exception. + +Brokers configured to use authentication from the "PlainPasswordFile", +"SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if +the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled +on non-TLS ports, but enabled on TLS connections). + +## Mitigation + +Users should upgrade their Apache Qpid Broker for Java to +version 6.0.3 or later. If this is not possible, users can disable +the PLAIN mechanism for their authentication manager on versions 0.32 +and later by adding "PLAIN" to the list of disabledMechanisms on their +authentication provider object. + +Note that the SimpleLDAP authentication provider requires PLAIN and so +this work around does not apply there. + +## Credit + +This issue was discovered by Alex Szczuczko of Red Hat, Inc. + +## References + +[QPID-7271](https://issues.apache.org/jira/browse/QPID-7271) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4432.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-4432.md b/input/cves/CVE-2016-4432.md new file mode 100644 index 0000000..b67ba8b --- /dev/null +++ b/input/cves/CVE-2016-4432.md @@ -0,0 +1,52 @@ +# CVE-2016-4432 + +## Severity + +Important + +## Affected components + +Qpid Broker for Java + +## Affected versions + +6.0.2 and earlier + +## Fixed versions + +[6.0.3]({{site_url}}/releases/qpid-java-6.0.3/index.html) + +## Description + +The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and +0-10 connections contains a flaw that allows authentication to be +bypassed. An remote attacker can exploit this vulnerability to +perform actions, without the need to specify valid credentials. For +instance, unauthorised messages could be injected or messages stolen. + +The vulnerability cannot be exploited if the Access Control List (ACL) +feature is enabled AND access to all virtual hosts controlled. + +The vulnerability does not apply to the Broker's AMQP 1.0 support. + +The vulnerability does not apply if the Broker is configured to +require SSL client authentication for all messaging connections. + +## Resolution + +Users should upgrade the Apache Qpid Broker for Java to +version 6.0.3 or later (recommended). + +## Mitigation + +If upgrading is not possible, the vulnerability can be mitigated using +an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists +user access to all virtualhosts. + +If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the +vulnerability can also be mitigated by turning off these protocols at +the Port level. + +## References + +[QPID-7257](https://issues.apache.org/jira/browse/QPID-7257) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4467.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-4467.md b/input/cves/CVE-2016-4467.md new file mode 100644 index 0000000..a110b04 --- /dev/null +++ b/input/cves/CVE-2016-4467.md @@ -0,0 +1,63 @@ +# CVE-2016-4467 + +## Severity + +Medium + +## Affected components + +Qpid Proton + +## Affected versions + +0.8 through 0.13.0 inclusive + +## Fixed versions + +0.13.1 and later + +## Description + +Failure to verify that the server host name matches the certificate +host name on Windows. + +Messaging applications using the Proton C library to provide SSL/TLS +authentication on Windows can falsely authenticate a server whose name +does not match the server name in the connection specifier. Proton C +bindings are affected to a greater or lesser degree depending on how +they use the underlying Proton C library. + +In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been +specified as the verification mode and pn_ssl_set_peer_hostname() has +not been called at all or has been called with a NULL value for a +particular pn_ssl_t object. + +In the Proton C++ binding, this will always happen unless the +application has separately specified a virtual_host name for an +SSL/TLS connection. + +In the Proton Python and Ruby bindings, this will only happen if the +application has separately specified a NULL virtual_host name for an +SSL/TLS connection after creating the connection but before the +authentication step. + +This issue only occurs on Windows versions of Proton that use the +default SChannel-based security layer. + +In any of the preceding cases, it is possible for a man-in-the-middle +attacker to spoof an SSL/TLS server if they had a certificate that was +valid for any of the application's Certificate Authorities. + +## Resolution + +Proton release 0.13.1 resolves this issue in the SChannel-based +security layer by obtaining a default non-NULL peer hostname from the +associated connection address when initialized and by always failing +hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified +along with a NULL peer hostname. This resolution matches the +associated behaviour of the OpenSSL-based security layer. + +## References + +[PROTON-1228](https://issues.apache.org/jira/browse/PROTON-1228) and +[PROTON-1233](https://issues.apache.org/jira/browse/PROTON-1233) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4974.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-4974.md b/input/cves/CVE-2016-4974.md new file mode 100644 index 0000000..4230cf0 --- /dev/null +++ b/input/cves/CVE-2016-4974.md @@ -0,0 +1,52 @@ +# CVE-2016-4974 + +## Severity + +Moderate + +## Affected components + +Qpid JMS + +## Affected versions + +0.9.0 and earlier + +## Fixed versions + +0.10.0 and later + +## Description + +Deserialization of untrusted input while using JMS ObjectMessage. + +When applications call getObject() on a consumed JMS ObjectMessage +they are subject to the behaviour of any object deserialization during +the process of constructing the body to return. Unless the application +has taken outside steps to limit the deserialization process, they +can't protect against input that might try to make undesired use of +classes available on the application classpath that might be +vulnerable to exploitation. In order to exploit this vulnerability, an +attacker would need to be able to inject a suitably crafted AMQP +message containing the malicious JMS Object Message into the AMQP +message network. For this, the attacker would require valid +authentication credentials and suitable authorisation. + +## Mitigation + +Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or +later, and use the new configuration options to whitelist trusted +content permitted for deserialization. When so configured, attempts to +deserialize input containing other content will be +prevented. Alternatively, users of older client releases may utilise +other means such as agent-based approaches to help govern content +permitted for deserialization in their application. + +## Credit + +This issue was discovered by Matthias Kaiser of Code White +(www.code-white.com). + +## References + +[QPIDJMS-188](https://issues.apache.org/jira/browse/QPIDJMS-188) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-8741.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2016-8741.md b/input/cves/CVE-2016-8741.md new file mode 100644 index 0000000..d1d448e --- /dev/null +++ b/input/cves/CVE-2016-8741.md @@ -0,0 +1,47 @@ +# CVE-2016-8741 + +## Severity + +Moderate + +## Affected components + +Qpid Broker for Java + +## Affected versions + +6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0 + +## Fixed versions + +[6.0.6]({{site_url}}/releases/qpid-java-6.0.6/index.html), [6.1.1]({{site_url}}/releases/qpid-java-6.1.1/index.html) + +## Description + +Information Leakage. + +The Qpid Broker for Java can be configured to use different so called +AuthenticationProviders to handle user authentication. Among the +choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider +types. + +It was discovered that these AuthenticationProviders prematurely +terminate the SCRAM SASL negotiation if the provided user name does +not exist thus allowing remote attacker to determine the existence of +user accounts. + +The Vulnerability does not apply to AuthenticationProviders other than +SCRAM-SHA-1 and SCRAM-SHA-256. + +## Mitigation + +Users should upgrade the Qpid Broker for Java to version 6.0.6, +6.1.1, or later (recommended). + +If upgrading is not possible, the vulnerability can be mitigated by +using an AuthenticationProvider other than SCRAM-SHA-1 and +SCRAM-SHA-256. + +## References + +[QPID-7599](https://issues.apache.org/jira/browse/QPID-7599) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/template.md ---------------------------------------------------------------------- diff --git a/input/cves/template.md b/input/cves/template.md new file mode 100644 index 0000000..682d39c --- /dev/null +++ b/input/cves/template.md @@ -0,0 +1,23 @@ +# CVE-YYYY-NNNN + +## Severity + +Important +Moderate +Low + +## Affected components + +## Affected versions + +## Fixed versions + +## Description + +## Resolution + +## Mitigation + +## Credit + +## References http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/proton/index.md ---------------------------------------------------------------------- diff --git a/input/proton/index.md b/input/proton/index.md index d99fcad..920e25f 100644 --- a/input/proton/index.md +++ b/input/proton/index.md @@ -88,6 +88,7 @@ platform, environment, or language. More about ## Resources + - [Security](security.html) - [Contributing to Proton](submitting-patches.html) - [Proton Messenger](messenger.html) - [Proton wiki pages](https://cwiki.apache.org/confluence/display/qpid/proton) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org