Repository: qpid-site Updated Branches: refs/heads/asf-site 7766ac5b5 -> 9ccb93178
Update site content for CVE-2018-8030 Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/9ccb9317 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/9ccb9317 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/9ccb9317 Branch: refs/heads/asf-site Commit: 9ccb93178d768f2e92c68434b4f6b500c4cbcdde Parents: 7766ac5 Author: Alex Rudyy <oru...@apache.org> Authored: Mon Jun 18 22:17:00 2018 +0100 Committer: Alex Rudyy <oru...@apache.org> Committed: Mon Jun 18 22:20:45 2018 +0100 ---------------------------------------------------------------------- content/components/broker-j/security.html | 7 + content/cves/CVE-2018-8030.html | 200 +++++++++++++++++++++++++ input/components/broker-j/security.md | 1 + input/cves/CVE-2018-8030.md | 55 +++++++ 4 files changed, 263 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/9ccb9317/content/components/broker-j/security.html ---------------------------------------------------------------------- diff --git a/content/components/broker-j/security.html b/content/components/broker-j/security.html index 636a6b4..9b8337e 100644 --- a/content/components/broker-j/security.html +++ b/content/components/broker-j/security.html @@ -169,6 +169,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <td>7.0.1</td> <td>Denial of Service</td> </tr> +<tr> + <td><a href="/cves/CVE-2018-8030.html">CVE-2018-8030</a></td> + <td>Important</td> + <td>7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4</td> + <td>7.0.5</td> + <td>Denial of Service</td> +</tr> </tbody> </table> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/9ccb9317/content/cves/CVE-2018-8030.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2018-8030.html b/content/cves/CVE-2018-8030.html new file mode 100644 index 0000000..0ec8f87 --- /dev/null +++ b/content/cves/CVE-2018-8030.html @@ -0,0 +1,200 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> + <head> + <title>CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/broker-j/index.html">Broker-J</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search"; method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit</li></ul> + + <div id="-middle-content"> + <h1 id="cve-2018-8030-apache-qpid-broker-j-denial-of-service-vulnerability-when-amqp-0-80-91-messages-exceed-maximum-size-limit">CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit</h1> + +<h2 id="severity">Severity</h2> + +<p>Important</p> + +<h2 id="affected-components">Affected components</h2> + +<p>Qpid Broker-J</p> + +<h2 id="affected-versions">Affected versions</h2> + +<p>7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4</p> + +<h2 id="fixed-versions">Fixed versions</h2> + +<p><a href="/releases/qpid-broker-j-7.0.5/index.html">7.0.5</a></p> + +<h2 id="description">Description</h2> + +<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J +versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to +publish messages with size greater than allowed maximum message size limit +(100MB by default). The broker crashes due to the defect. AMQP protocols +0-10 and 1.0 are not affected.</p> + +<h2 id="resolution">Resolution</h2> + +<p>Users of Broker-J versions 7.0.0-7.0.4 utilizing AMQP protocols 0-8, 0-9 or 0-91 +for message publishing must upgrade to version 7.0.5 or later.</p> + +<h2 id="mitigation">Mitigation</h2> + +<p>If upgrade of the broker is not possible, the maximum message size limit can be +disabled by setting context variable "qpid.max_message_size" to "0" or +any negative value. The change can be made either directly in the broker +configuration file, or by using management interfaces (for example, REST API) +or by sing JVM option -Dqpid.max_message_size=0. A broker restart is required +for the change to take effect. +Alternatively, the support for AMQP protocols 0-8...0-91 can be +removed on AMQP ports. +The change can be made either directly in the broker configuration file +or by using management interfaces. An example of REST API call +restricting AMQP port to support only to AMQP 1.0 and AMQP 0-10 using curl +utility is provided below:</p> + +<p><code>sh +curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0","AMQP_0_10"]}' https://<broker host>:<broker port>/api/latest/port/<port name> +</code></p> + +<h2 id="references">References</h2> + +<ul> +<li><a href="https://issues.apache.org/jira/browse/QPID-8203";>QPID-8203</a></li> +<li><a href="https://qpid.apache.org/releases/qpid-broker-j-7.0.5/book/Java-Broker-Management-Channel-REST-API.html";>REST API</a></li> +</ul> + + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/";>Apache</a></li> + <li><a href="http://www.apache.org/licenses/";>License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/9ccb9317/input/components/broker-j/security.md ---------------------------------------------------------------------- diff --git a/input/components/broker-j/security.md b/input/components/broker-j/security.md index 2635c6c..89019a6 100644 --- a/input/components/broker-j/security.md +++ b/input/components/broker-j/security.md @@ -27,6 +27,7 @@ | [CVE-2017-15701]({{site_url}}/cves/CVE-2017-15701.html) | Important | 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4 | 6.1.5 | Denial of Service | | [CVE-2017-15702]({{site_url}}/cves/CVE-2017-15702.html) | Important | 0.18, 0.20, 0.22, 0.24, 0.26, 0.28, 0.30, and 0.32 | 6.0.0 | Authentication vulnerability | | [CVE-2018-1298]({{site_url}}/cves/CVE-2018-1298.html) | Important | 7.0.0 | 7.0.1 | Denial of Service | +| [CVE-2018-8030]({{site_url}}/cves/CVE-2018-8030.html) | Important | 7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4 | 7.0.5 | Denial of Service | See the main [security]({{site_url}}/security.html) page for general information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/9ccb9317/input/cves/CVE-2018-8030.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2018-8030.md b/input/cves/CVE-2018-8030.md new file mode 100644 index 0000000..8f61e7f --- /dev/null +++ b/input/cves/CVE-2018-8030.md @@ -0,0 +1,55 @@ +# CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit + +## Severity + +Important + +## Affected components + +Qpid Broker-J + +## Affected versions + +7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4 + +## Fixed versions + +[7.0.5]({{site_url}}/releases/qpid-broker-j-7.0.5/index.html) + +## Description + +A Denial of Service vulnerability was found in Apache Qpid Broker-J +versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to +publish messages with size greater than allowed maximum message size limit +(100MB by default). The broker crashes due to the defect. AMQP protocols +0-10 and 1.0 are not affected. + +## Resolution + +Users of Broker-J versions 7.0.0-7.0.4 utilizing AMQP protocols 0-8, 0-9 or 0-91 +for message publishing must upgrade to version 7.0.5 or later. + +## Mitigation + +If upgrade of the broker is not possible, the maximum message size limit can be +disabled by setting context variable "qpid.max\_message\_size" to "0" or +any negative value. The change can be made either directly in the broker +configuration file, or by using management interfaces (for example, REST API) +or by sing JVM option -Dqpid.max\_message\_size=0. A broker restart is required +for the change to take effect. +Alternatively, the support for AMQP protocols 0-8...0-91 can be +removed on AMQP ports. +The change can be made either directly in the broker configuration file +or by using management interfaces. An example of REST API call +restricting AMQP port to support only to AMQP 1.0 and AMQP 0-10 using curl +utility is provided below: + +```sh +curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0","AMQP_0_10"]}' https://<broker host>:<broker port>/api/latest/port/<port name> +``` + +## References + + - [QPID-8203](https://issues.apache.org/jira/browse/QPID-8203) + - [REST API](https://qpid.apache.org/releases/qpid-broker-j-7.0.5/book/Java-Broker-Management-Channel-REST-API.html) + --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
