[jira] [Updated] (QPID-8046) [CVE-2018-1298][Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial response

Thu, 08 Feb 2018 15:11:15 -0800 

     [ 
https://issues.apache.org/jira/browse/QPID-8046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-8046:
-----------------------------
    Description: 
A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in 
functionality for authentication of connections for AMQP protocols 0-8, 0-9, 
0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability 
allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP 
connections are not affected.

Authentication Providers of following types supports PLAIN SASL mechanism:
* Plain
* PlainPasswordFile
* SimpleLDAP
* Base64MD5PasswordFile
* MD5
* SCRAM-SHA-256
* SCRAM-SHA-1

XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.

If an AMQP port is configured with any of these Authentication Providers, the 
Broker may be vulnerable.

The current implementation of SASL mechanisms PLAIN and XOAUTH2 require from 
client to provide an initial response. PLAIN and XOAUTH2 sasl mechanism 
implementations should send challenge (empty bytes) if initial response is not 
provided. See RFC4616.

  was:The current implementation of SASL mechanisms PLAIN and XOAUTH2 require 
from client to provide an initial response. PLAIN and XOAUTH2 sasl mechanism 
implementations should send challenge (empty bytes) if initial response is not 
provided. See RFC4616.


> [CVE-2018-1298][Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not 
> require initial response
> -------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8046
>                 URL: https://issues.apache.org/jira/browse/QPID-8046
>             Project: Qpid
>          Issue Type: Bug
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-7.0.0
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.0.1
>
>
> A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in 
> functionality for authentication of connections for AMQP protocols 0-8, 0-9, 
> 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability 
> allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and 
> HTTP connections are not affected.
> Authentication Providers of following types supports PLAIN SASL mechanism:
> * Plain
> * PlainPasswordFile
> * SimpleLDAP
> * Base64MD5PasswordFile
> * MD5
> * SCRAM-SHA-256
> * SCRAM-SHA-1
> XOAUTH2 SASL mechanism is supported by Authentication Providers of type 
> OAuth2.
> If an AMQP port is configured with any of these Authentication Providers, the 
> Broker may be vulnerable.
> The current implementation of SASL mechanisms PLAIN and XOAUTH2 require from 
> client to provide an initial response. PLAIN and XOAUTH2 sasl mechanism 
> implementations should send challenge (empty bytes) if initial response is 
> not provided. See RFC4616.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to