exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Qpid 0.30 Denial Of Service

Apache Qpid 0.30 Denial Of Service
Posted Jan 14, 2015
Authored by G. Geshev

Apache Qpid's qpidd up to and including version 0.30 suffers from a denial of service vulnerability.

tags | advisory, denial of service
advisories | CVE-2015-0203
SHA-256 | 93e08a917a4400984c0daa916d80f064f905d79916e53644c6f039af207a0100

Apache Qpid 0.30 Denial Of Service

Change Mirror Download
    Apache Software Foundation - Security Advisory

Apache Qpid's qpidd can be crashed by authenticated user

CVE-2015-0203 CVS: 5.2

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid's qpidd up to and including version 0.30

Description:

Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:

The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a sequence-set
containing an invalid range, where the start of the range is after the
end. This condition causes an assertion, which causes the broker
process to exit.

The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments are
expected by qpidd is the message-transfer command. If another command
is sent that includes header and/or body segments, this will cause a
segmentation fault in the broker process, causing it then to exit.

The AMQP 0-10 protocol defines a session-gap control that can be sent
on any established session. The qpidd broker does not support this
control and responds with an appropriate error if requested on an
established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.

Solution:

A patch is available (https://issues.apache.org/jira/browse/QPID-6310)
that handles all these errors by sending an exception control to the
remote peer and leave the broker available to all other users. The fix
will be included in subsequent releases, but can be applied to 0.30 if
desired.

Common Vulnerability Score information:

Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.

Credit:

This issue was discovered by G. Geshev from MWR Labs

Common Vulnerability Score information:


CVSS Base Score 6.3
Impact Subscore 6.9
Exploitability Subscore 6.8
CVSS Temporal Score 5.2
CVSS Environmental Score Not Defined
Modified Impact Subscore Not Defined
Overall CVSS Score 5.2
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close