CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Versions 0.7.0 and 0.8.0 Description: A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Resolution: Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or 1.0.0 and later. Mitigation: Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability. [1] - https://issues.apache.org/jira/browse/DISPATCH-924