[jira] [Commented] (AMQ-7491) ActiveMQ illegal occupation vulnerability

Thu, 28 May 2020 07:12:08 -0700 


    [ 
https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17118714#comment-17118714
 ] 

wang Jessie commented on AMQ-7491:
----------------------------------

Thank you!

> ActiveMQ illegal occupation vulnerability
> -----------------------------------------
>
>                 Key: AMQ-7491
>                 URL: https://issues.apache.org/jira/browse/AMQ-7491
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: AMQP, Broker
>    Affects Versions: 5.15.12
>         Environment: We build a script used JavaScript to interact with the 
> broker in ActiveMQ 5.15.12.
> The experiment is performed on Windows10 1903 version.
>            Reporter: wang Jessie
>            Priority: Blocker
>              Labels: security
>         Attachments: 1590234052205.png
>
>
> *Description:* Two client with the same Container-Id are not allowed to 
> connect to the broker. When we send *two OPEN packet with same the 
> Container-Id*, the broker will return error and the client will close the TCP 
> connection. The client with this Container-Id will *never be able to connect 
> with the broker* unless the broker resets. This vulnerability can be 
> exploited by the adversary to perform the aforementioned attacks on many 
> Container-Id to make a huge set of clients unable to connect with the broker. 
> As the ActiveMQ are widely adopted by the IoT vendors, this can be a 
> vulnerability affected a wide range.
> Following are the details.
> We send *two OPEN packets with the same Container-Id 1* and we can learn from 
> the log A in the attached picture in the broker side that the broker returned 
> close packets and the client closed this TCP connection with the broker.
> Then we build a new client to connect with the broker using the same 
> Container-Id 1, we can learn from the log B in the attached pictur that the 
> broker returned errors as the broker believe the client with Container-Id 1 
> already connected.
> *Suggestion for repair:* May be the state of the broker after received two 
> OPEN packets could be checked and the connection state of the client could be 
> updated when the TCP connection is closed.
>  
> :)I hope what I found can do some help and if you want further discussion, 
> please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. 
> Thanks for spending your time on my issue.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to