[jira] [Updated] (QPID-8273) [CVE-2019-0200][Broker-J][AMQP 0-8..0-10] Broker can crash on receiving malformed commands using AMQP protocols 0-8...0-10 and resending malformed messages

Fri, 01 Mar 2019 12:10:16 -0800 


     [ 
https://issues.apache.org/jira/browse/QPID-8273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-8273:
-----------------------------
    Summary: [CVE-2019-0200][Broker-J][AMQP 0-8..0-10] Broker can crash on 
receiving malformed commands using AMQP protocols 0-8...0-10 and resending 
malformed messages  (was: [CVE-2019-0200][Broker-J][AMQP 0-8..0-10] Broker can 
on receiving malformed commands using AMQP protocols 0-8...0-10 and resending 
malformed messages)

> [CVE-2019-0200][Broker-J][AMQP 0-8..0-10] Broker can crash on receiving 
> malformed commands using AMQP protocols 0-8...0-10 and resending malformed 
> messages
> -----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8273
>                 URL: https://issues.apache.org/jira/browse/QPID-8273
>             Project: Qpid
>          Issue Type: Bug
>          Components: Broker-J
>    Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3, 
> qpid-java-broker-7.0.2, qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2, 
> qpid-java-6.0.3, qpid-java-6.0.4, qpid-java-6.0.5, qpid-java-6.1, 
> qpid-java-6.0.6, qpid-java-6.1.1, qpid-java-6.1.2, qpid-java-6.0.7, 
> qpid-java-6.1.3, qpid-java-6.0.8, qpid-java-6.1.4, qpid-java-broker-7.0.0, 
> qpid-java-6.1.5, qpid-java-broker-7.0.1, qpid-java-6.1.7, 
> qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, 
> qpid-java-broker-7.0.6
>            Reporter: Alex Rudyy
>            Assignee: Alex Rudyy
>            Priority: Critical
>             Fix For: qpid-java-broker-7.0.7, qpid-java-broker-7.1.1
>
>
> Qpid Broker-J versions 6.0.0-7.0.6 and 7.1.0 can crash when AMQP 0-8...0-10 
> protocols are used in the following cases:
> * on receiving malformed commands
> * on receiving malformed message
> * on sending malformed messages to the consumers
> AMQP 1.0 is not affected by the defect
> This vulnerability allows an unauthenticated attacker to crash the broker 
> instance by sending specially crafted commands using AMQP protocol versions 
> below 1.0.
> Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 
> utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J 
> versions 7.0.7 or 7.1.1 or later.
> If upgrade of the broker is not possible, the support for AMQP protocols 
> 0-8...0-10 can be disabled on AMQP ports. The change can be made either 
> directly in the broker configuration file or by using management interfaces.
> An example of REST API call restricting AMQP port to support only AMQP 1.0 
> using curl utility is provided below:
> {code:bash}
> curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' \
> https://<broker host>:<broker port>/api/latest/port/<port name>
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to