Apache Software Foundation - Security Advisory

       Apache Qpid's qpidd can be crashed by authenticated user

CVE-2015-0203  CVS: 5.2

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid's qpidd up to and including version 0.30

Description:

Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:

The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a sequence-set
containing an invalid range, where the start of the range is after the
end. This condition causes an assertion, which causes the broker
process to exit.

The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments are
expected by qpidd is the message-transfer command. If another command
is sent that includes header and/or body segments, this will cause a
segmentation fault in the broker process, causing it then to exit.

The AMQP 0-10 protocol defines a session-gap control that can be sent
on any established session. The qpidd broker does not support this
control and responds with an appropriate error if requested on an
established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.

Solution:

A patch is available (https://issues.apache.org/jira/browse/QPID-6310)
that handles all these errors by sending an exception control to the
remote peer and leave the broker available to all other users. The fix
will be included in subsequent releases, but can be applied to 0.30 if
desired.

Common Vulnerability Score information:

Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.

Credit:

This issue was discovered by G. Geshev from MWR Labs

Common Vulnerability Score information:


CVSS Base Score                   6.3
Impact Subscore                   6.9
Exploitability Subscore           6.8
CVSS Temporal Score               5.2
CVSS Environmental Score          Not Defined
Modified Impact Subscore          Not Defined
Overall CVSS Score                5.2