lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Jan 2015 10:34:20 +0000
From: Gordon Sim <gsim@...che.org>
To: "users@...d.apache.org" <users@...d.apache.org>,
  "dev@...d.apache.org" <dev@...d.apache.org>, announce@...che.org,
  "security@...che.org" <security@...che.org>, bugtraq@...urityfocus.com
Subject: CVE-2015-0203: Apache Qpid's qpidd can be crashed by authenticated
 user

    Apache Software Foundation - Security Advisory

       Apache Qpid's qpidd can be crashed by authenticated user

CVE-2015-0203  CVS: 5.2

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid's qpidd up to and including version 0.30

Description:

Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:

The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a sequence-set
containing an invalid range, where the start of the range is after the
end. This condition causes an assertion, which causes the broker
process to exit.

The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments are
expected by qpidd is the message-transfer command. If another command
is sent that includes header and/or body segments, this will cause a
segmentation fault in the broker process, causing it then to exit.

The AMQP 0-10 protocol defines a session-gap control that can be sent
on any established session. The qpidd broker does not support this
control and responds with an appropriate error if requested on an
established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.

Solution:

A patch is available (https://issues.apache.org/jira/browse/QPID-6310)
that handles all these errors by sending an exception control to the
remote peer and leave the broker available to all other users. The fix
will be included in subsequent releases, but can be applied to 0.30 if
desired.

Common Vulnerability Score information:

Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.

Credit:

This issue was discovered by G. Geshev from MWR Labs

Common Vulnerability Score information:


CVSS Base Score                   6.3
Impact Subscore                   6.9
Exploitability Subscore           6.8
CVSS Temporal Score               5.2
CVSS Environmental Score          Not Defined
Modified Impact Subscore          Not Defined
Overall CVSS Score                5.2

Powered by blists - more mailing lists