CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service
Vulnerability when specially crafted frame is sent to the Router

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Versions 0.7.0 and 0.8.0

Description: A Denial of Service vulnerability was found in Apache
Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a
remote user must be able to establish an AMQP connection to the Qpid
Dispatch Router and send a specifically crafted AMQP frame which will
cause it to segfault and shut down.

Resolution:
Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to
version 0.8.1 or 1.0.0 and later.

Mitigation:
Any user who is able to connect to the Router may exploit the
vulnerability. If anonymous authentication is enabled then any remote
user with network access the Router is a possible attacker. The number
of possible attackers is reduced if the Router is configured to
require authentication. Then an attacker needs to have authentic
credentials which are used to create a connection to the Router before
proceeding to exploit this vulnerability.

[1] - https://issues.apache.org/jira/browse/DISPATCH-924

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to