[
https://issues.apache.org/jira/browse/QPID-8273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy updated QPID-8273:
-----------------------------
Description:
Qpid Broker-J versions 6.0.0-7.0.6 and 7.1.0 can crash when AMQP 0-8...0-10
protocols are used in the following cases:
* on receiving malformed commands
* on receiving malformed message
* on sending malformed messages to the consumers
AMQP 1.0 is not affected by the defect
This vulnerability allows an unauthenticated attacker to crash the broker
instance by sending specially crafted commands using AMQP protocol versions
below 1.0.
Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J
versions 7.0.7 or 7.1.1 or later.
If upgrade of the broker is not possible, the support for AMQP protocols
0-8...0-10 can be disabled on AMQP ports. The change can be made either
directly in the broker configuration file or by using management interfaces.
An example of REST API call restricting AMQP port to support only AMQP 1.0
using curl utility is provided below:
{code:bash}
curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' \
https://<broker host>:<broker port>/api/latest/port/<port name>
{code}
was:
Qpid Broker-J versions 6.0.0-7.0.6 and 7.1.0 can crash when AMQP 0-8...0-10
protocols are used in the following cases:
* on receiving malformed commands
* on receiving malformed message
* on sending malformed messages to the consumers
AMQP 1.0 is not affected by the defect
> [CVE-2019-0200][Broker-J][AMQP 0-8..0-10] Broker can on receiving malformed
> commands using AMQP protocols 0-8...0-10 and resending malformed messages
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-8273
> URL: https://issues.apache.org/jira/browse/QPID-8273
> Project: Qpid
> Issue Type: Bug
> Components: Broker-J
> Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3,
> qpid-java-broker-7.0.2, qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2,
> qpid-java-6.0.3, qpid-java-6.0.4, qpid-java-6.0.5, qpid-java-6.1,
> qpid-java-6.0.6, qpid-java-6.1.1, qpid-java-6.1.2, qpid-java-6.0.7,
> qpid-java-6.1.3, qpid-java-6.0.8, qpid-java-6.1.4, qpid-java-broker-7.0.0,
> qpid-java-6.1.5, qpid-java-broker-7.0.1, qpid-java-6.1.7,
> qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5,
> qpid-java-broker-7.0.6
> Reporter: Alex Rudyy
> Assignee: Alex Rudyy
> Priority: Critical
> Fix For: qpid-java-broker-7.0.7, qpid-java-broker-7.1.1
>
>
> Qpid Broker-J versions 6.0.0-7.0.6 and 7.1.0 can crash when AMQP 0-8...0-10
> protocols are used in the following cases:
> * on receiving malformed commands
> * on receiving malformed message
> * on sending malformed messages to the consumers
> AMQP 1.0 is not affected by the defect
> This vulnerability allows an unauthenticated attacker to crash the broker
> instance by sending specially crafted commands using AMQP protocol versions
> below 1.0.
> Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
> utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J
> versions 7.0.7 or 7.1.1 or later.
> If upgrade of the broker is not possible, the support for AMQP protocols
> 0-8...0-10 can be disabled on AMQP ports. The change can be made either
> directly in the broker configuration file or by using management interfaces.
> An example of REST API call restricting AMQP port to support only AMQP 1.0
> using curl utility is provided below:
> {code:bash}
> curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' \
> https://<broker host>:<broker port>/api/latest/port/<port name>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
