SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Qpid Vendors:   Apache Software Foundation
Apache Qpid Broker-J Maximum Message Size Processing Bug Lets Remote Users Cause the Target Service to Crash
SecurityTracker Alert ID:  1041138
SecurityTracker URL:  http://securitytracker.com/id/1041138
CVE Reference:   CVE-2018-8030   (Links to External Site)
Date:  Jun 19 2018
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0.0 - 7.0.4
Description:   A vulnerability was reported in Apache Qpid Broker-J. A remote user can cause the target service to crash.

A remote user can publish a message with a size that is larger than the maximum message size limit to cause the target broker to crash.

AMQP protocols 0-8, 0-9, and 0-91 are affected.

The Qpid development team reported this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fix (7.0.5).

The vendor advisory is available at:

https://issues.apache.org/jira/browse/QPID-8203

Vendor URL:  qpid.apache.org/releases/qpid-broker-j-7.0.5/release-notes.html (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] [SECURITY] [CVE-2018-8030] Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit

CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability
when AMQP 0-8...0-91 messages exceed maximum size limit

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Versions 7.0.0-7.0.4

Description:

A Denial of Service vulnerability [1] was found in Apache Qpid Broker-J
versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to
publish messages with size greater than allowed maximum message size limit
(100MB by default). The broker crashes due to the defect. AMQP protocols
0-10 and 1.0 are not affected.

Resolution:

Users of Broker-J versions 7.0.0-7.0.4 utilizing AMQP protocols 0-8, 0-9 or 0-91
for message publishing must upgrade to version 7.0.5 [2] or later.

Mitigation:

If upgrade of the broker is not possible, the maximum message size limit can be
disabled by setting context variable "qpid.max_message_size" to "0" or
any negative value. The change can be made either directly in the broker
configuration file, or by using management interfaces (for example,
REST API [3])
or by using JVM option -Dqpid.max_message_size=0. A broker restart is required
for the change to take effect.
Alternatively, the support for AMQP protocols 0-8...0-91 can be removed on
AMQP ports. The change can be made either directly in the broker configuration
file or by using management interfaces. An example of REST API call
restricting AMQP port to support only AMQP 1.0 and AMQP 0-10 using curl utility
is provided below:

curl --user <user-name> -X POST  -d '{"protocols":["AMQP_1_0","AMQP_0_10"]}' \
https://<broker host>:<broker port>/api/latest/port/<port name>

Credit: This issue was found by the Qpid development team.

References:

[1] https://issues.apache.org/jira/browse/QPID-8203
[2] https://qpid.apache.org/releases/qpid-broker-j-7.0.5/index.html
[3] https://qpid.apache.org/releases/qpid-broker-j-7.0.5/book/Java-Broker-Management-Channel-REST-API.html
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC