Apache Qpid's qpidd up to and including version 0.30 suffers from a denial of service vulnerability.
93e08a917a4400984c0daa916d80f064f905d79916e53644c6f039af207a0100
Apache Software Foundation - Security Advisory
Apache Qpid's qpidd can be crashed by authenticated user
CVE-2015-0203 CVS: 5.2
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Qpid's qpidd up to and including version 0.30
Description:
Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:
The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a sequence-set
containing an invalid range, where the start of the range is after the
end. This condition causes an assertion, which causes the broker
process to exit.
The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments are
expected by qpidd is the message-transfer command. If another command
is sent that includes header and/or body segments, this will cause a
segmentation fault in the broker process, causing it then to exit.
The AMQP 0-10 protocol defines a session-gap control that can be sent
on any established session. The qpidd broker does not support this
control and responds with an appropriate error if requested on an
established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.
Solution:
A patch is available (https://issues.apache.org/jira/browse/QPID-6310)
that handles all these errors by sending an exception control to the
remote peer and leave the broker available to all other users. The fix
will be included in subsequent releases, but can be applied to 0.30 if
desired.
Common Vulnerability Score information:
Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.
Credit:
This issue was discovered by G. Geshev from MWR Labs
Common Vulnerability Score information:
CVSS Base Score 6.3
Impact Subscore 6.9
Exploitability Subscore 6.8
CVSS Temporal Score 5.2
CVSS Environmental Score Not Defined
Modified Impact Subscore Not Defined
Overall CVSS Score 5.2