SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Apache Qpid Vendors:   Apache Software Foundation
Apache Qpid Broker for Java Certain AuthenticationProviders Let Remote Users Determine Valid Usernames on the Target System
SecurityTracker Alert ID:  1037537
SecurityTracker URL:  http://securitytracker.com/id/1037537
CVE Reference:   CVE-2016-8741   (Links to External Site)
Date:  Dec 29 2016
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Broker for Java 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.1.0
Description:   A vulnerability was reported in Apache Qpid Broker for Java. A remote user can determine valid usernames on the target system.

A remote user can send a specially crafted request to determine valid usernames on the target system because certain AuthenticationProviders terminate the SCRAM SASL negotiation process when the supplied username value does not exist.

The SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProviders are affected.

Alex Rudyy reported this vulnerability.

Impact:   A remote user can determine valid usernames on the target system.
Solution:   The vendor has issued a fix (Broker for Java 6.0.6, 6.1.1).

The vendor advisory is available at:

https://issues.apache.org/jira/browse/QPID-7599

Vendor URL:  qpid.apache.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 28 Dec 2016 11:50:51 +0000
Subject:  [CVE-2016-8741] Apache Qpid Broker for Java - Information Leakage

[CVE-2016-8741] Apache Qpid Broker for Java - Information Leakage

Vendor: The Apache Software Foundation

Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
                   6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0

Description:

The Qpid Broker for Java can be configured to use different so
called AuthenticationProviders to handle user authentication.

Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
AuthenticationProvider types.

It was discovered that these AuthenticationProviders prematurely
terminate the SCRAM SASL negotiation if the provided user name
does not exist thus allowing remote attacker to determine the
existence of user accounts.

The Vulnerability does not apply to AuthenticationProviders other
than SCRAM-SHA-1 and SCRAM-SHA-256.

Resolution:

Users should upgrade the Qpid Broker for Java to version 6.0.6,
6.1.1, or later (recommended).

Mitigation:

If upgrading is not possible, the vulnerability can be mitigated
by using an AuthenticationProvider other than SCRAM-SHA-1 and
SCRAM-SHA-256.

References:

https://issues.apache.org/jira/browse/QPID-7599
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC