[ https://issues.apache.org/jira/browse/QPID-4631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chuck Rolke resolved QPID-4631. ------------------------------- Resolution: Fixed Fix Version/s: 0.23 Fixed at Committed revision 1477112. > C++ Broker interbroker links should be protected by ACL > ------------------------------------------------------- > > Key: QPID-4631 > URL: https://issues.apache.org/jira/browse/QPID-4631 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Affects Versions: 0.20 > Reporter: Chuck Rolke > Assignee: Chuck Rolke > Fix For: 0.23 > > > This issue addresses CVE-2012-4446 > Federated interbroker links may be opened by client programs and not just by > brokers. By default the creation of these links is not protected any formal > authorization. > Users concerned about this issue may immediately lock their systems down by > creating ACL rules that allow links to be created only by authorized users. > For instance the following ACL rules on each broker would provide the > lockdown necessary: > group proxies <id1> <id2> ... > acl allow proxies create link > acl deny-log all create link > A better solution is for the ACL module to deny the creation of links unless > ACL rules are specified to specifically allow them. > In pseudo code the solution is in two parts. Part one observes CREATE LINK > rules in the acl file. Part two authorizes link creation only if ACL is > loaded, CREATE LINK ACL rules are specified, and the specific user is > authorized to create the link in question: > function readAclFile() > ... > if (CREATE LINK rules are specified) > set acl->createLinkFlag > endif > ... > end function > function brokerCreateLink() > if (aclLoaded) > if (acl->createLinkFlag) > if (acl->authorise(user, create, link, properties)) > <create link allowed> > else > <create link denied - not authorized> > endif > else > <create link denied - acl did not specify a create link rule> > endif > else > <create link denied - acl module not loaded> > endif > end function > This Jira will track the implementation of this restriction. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org