what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Qpid Java Broker 6.0.2 Denial Of Service

Apache Qpid Java Broker 6.0.2 Denial Of Service
Posted May 27, 2016
Authored by Alex Szczuczko

Apache Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2 suffer from a denial of service vulnerability.

tags | advisory, java, denial of service
advisories | CVE-2016-3094
SHA-256 | 3d81afb1173f32654873524b4636e3c6b1d5deed18d076fcaffba968ee1a79fa

Apache Qpid Java Broker 6.0.2 Denial Of Service

Change Mirror Download
CVE-2016-3094: Apache Qpid Java Broker denial of service vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2

Description: A malformed authentication attempt may cause the broker to
terminate. The Qpid Java Broker supports a number of configurable
authentication providers each supporting various SASL mechanisms. Some
mechanisms need (or can be configured to accept) plain-text passwords
being sent to the Broker (using the SASL "PLAIN" mechanism). Where the
broker has been configured to allow plain-text passwords for authentication
it is possible for a client to send a malformed authentication attempt
which
will lead the broker to terminate due to an uncaught Exception.
Brokers configured to use authentication from the "PlainPasswordFile",
"SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the
"PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on
non-TLS ports, but enabled on TLS connections).

Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or
later. If this is not possible, users can disable the PLAIN mechanism for
their authentication manager on versions 0.32 and later by adding
"PLAIN" to
the list of disabledMechanisms on their authentication provider object.
Note that the SimpleLDAP authentication provider requires PLAIN and so this
work around does not apply there.

Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc.

References: https://issues.apache.org/jira/browse/QPID-7271
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close