[jira] [Updated] (DISPATCH-924) [CVE-2017-15699] Denial of Service Vulnerability when specially crafted frame is sent to the Router

Tue, 13 Feb 2018 12:12:13 -0800 

     [ 
https://issues.apache.org/jira/browse/DISPATCH-924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ganesh Murthy updated DISPATCH-924:
-----------------------------------
    Affects Version/s:     (was: 0.8.1)
                           (was: 1.0.0)
                       0.7.0
                       0.8.0
             Priority: Major  (was: Minor)
          Description: A Denial of Service vulnerability was found in Apache 
Qpid Dispatch Router versions 0.7.0 and 0.8.0. To exploit this vulnerability, a 
remote user must be able to establish an AMQP connection to the Qpid Dispatch 
Router and send a specifically crafted AMQP frame which will cause it to 
segfault and shut down. Any user who is able to connect to the Router may 
exploit the vulnerability. If anonymous authentication is enabled then any 
remote user with network access to the Router is a possible attacker. The 
number of possible attackers is reduced if the Router is configured to require 
authentication. Then an attacker needs to have authentic credentials which are 
used to create a connection to the Router before proceeding to exploit this 
vulnerability.
              Summary: [CVE-2017-15699] Denial of Service Vulnerability when 
specially crafted frame is sent to the Router  (was: Remove unused variables in 
router core)

> [CVE-2017-15699] Denial of Service Vulnerability when specially crafted frame 
> is sent to the Router
> ---------------------------------------------------------------------------------------------------
>
>                 Key: DISPATCH-924
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-924
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 0.7.0, 0.8.0
>            Reporter: Ganesh Murthy
>            Assignee: Ganesh Murthy
>            Priority: Major
>             Fix For: 0.8.1, 1.0.0
>
>
> A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 
> versions 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must 
> be able to establish an AMQP connection to the Qpid Dispatch Router and send 
> a specifically crafted AMQP frame which will cause it to segfault and shut 
> down. Any user who is able to connect to the Router may exploit the 
> vulnerability. If anonymous authentication is enabled then any remote user 
> with network access to the Router is a possible attacker. The number of 
> possible attackers is reduced if the Router is configured to require 
> authentication. Then an attacker needs to have authentic credentials which 
> are used to create a connection to the Router before proceeding to exploit 
> this vulnerability.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to