exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Qpid 0.30 Denial Of Service

Apache Qpid 0.30 Denial Of Service
Posted Jan 14, 2015
Authored by G. Geshev

Apache Qpid's qpidd up to and including version 0.30 suffers from a denial of service vulnerability.

tags | advisory, denial of service
advisories | CVE-2015-0203
SHA-256 | 93e08a917a4400984c0daa916d80f064f905d79916e53644c6f039af207a0100

Apache Qpid 0.30 Denial Of Service

Change Mirror Download
    Apache Software Foundation - Security Advisory

Apache Qpid's qpidd can be crashed by authenticated user

CVE-2015-0203 CVS: 5.2

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid's qpidd up to and including version 0.30

Description:

Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:

The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a sequence-set
containing an invalid range, where the start of the range is after the
end. This condition causes an assertion, which causes the broker
process to exit.

The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments are
expected by qpidd is the message-transfer command. If another command
is sent that includes header and/or body segments, this will cause a
segmentation fault in the broker process, causing it then to exit.

The AMQP 0-10 protocol defines a session-gap control that can be sent
on any established session. The qpidd broker does not support this
control and responds with an appropriate error if requested on an
established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.

Solution:

A patch is available (https://issues.apache.org/jira/browse/QPID-6310)
that handles all these errors by sending an exception control to the
remote peer and leave the broker available to all other users. The fix
will be included in subsequent releases, but can be applied to 0.30 if
desired.

Common Vulnerability Score information:

Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.

Credit:

This issue was discovered by G. Geshev from MWR Labs

Common Vulnerability Score information:


CVSS Base Score 6.3
Impact Subscore 6.9
Exploitability Subscore 6.8
CVSS Temporal Score 5.2
CVSS Environmental Score Not Defined
Modified Impact Subscore Not Defined
Overall CVSS Score 5.2
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close