You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/06/01 10:31:25 UTC
[1/2] qpid-site git commit: dedicated security pages
Repository: qpid-site
Updated Branches:
refs/heads/asf-site fa6be03d2 -> 79eb6b382
dedicated security pages
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/022695bd
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/022695bd
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/022695bd
Branch: refs/heads/asf-site
Commit: 022695bd286dbce3620dda829635e3cd3c8fbc3f
Parents: fa6be03
Author: Lorenz Quack <qu...@gmail.com>
Authored: Mon May 30 09:02:07 2016 +0100
Committer: Lorenz Quack <qu...@gmail.com>
Committed: Wed Jun 1 11:23:53 2016 +0100
----------------------------------------------------------------------
input/_transom_template.html | 3 +-
input/components/cpp-broker/security.md | 28 ++++++++
input/components/dispatch-router/security.md | 28 ++++++++
input/components/java-broker/security.md | 34 ++++++++++
input/components/jms/security-0-x.md | 28 ++++++++
input/components/jms/security-1.0.md | 28 ++++++++
input/components/messaging-api/security.md | 28 ++++++++
input/index.html.in | 2 +-
input/proton/security.md | 28 ++++++++
input/security.md | 81 +++++++++++++++++++++++
input/site.js | 11 +++
11 files changed, 297 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/_transom_template.html
----------------------------------------------------------------------
diff --git a/input/_transom_template.html b/input/_transom_template.html
index a232be7..71aa813 100644
--- a/input/_transom_template.html
+++ b/input/_transom_template.html
@@ -28,6 +28,7 @@
<link rel="stylesheet" href="{{site_url}}/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="{{site_url}}/deferred.js" defer="defer"></script>
+ <script type="text/javascript" src="{{site_url}}/site.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="{{site_url}}/ie.css" type="text/css"/>
<script type="text/javascript" src="{{site_url}}/html5shiv.js"></script>
@@ -123,7 +124,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="http://www.apache.org/security/">Security</a></li>
+ <li><a href="{{site_url}}/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/cpp-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md
new file mode 100644
index 0000000..1ec9682
--- /dev/null
+++ b/input/components/cpp-broker/security.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## C++ Broker
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/dispatch-router/security.md
----------------------------------------------------------------------
diff --git a/input/components/dispatch-router/security.md b/input/components/dispatch-router/security.md
new file mode 100644
index 0000000..3043c11
--- /dev/null
+++ b/input/components/dispatch-router/security.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## Dispatch Router
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
new file mode 100644
index 0000000..f09e819
--- /dev/null
+++ b/input/components/java-broker/security.md
@@ -0,0 +1,34 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## Java Broker
+
+### CVEs
+
+| CVE-ID | Severity | Fixed in Version | Description |
+| ------------- |:---------:|:-----------------|:------------|
+| CVE-2016-3094 | Important | 6.0.3 | Denial of Service. <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_3094_details"><p>Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2</p><p>Description: A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwords being sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an unca
ught Exception.<br/>Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on non-TLS ports, but enabled on TLS connections).</p>Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or later. If this is not possible, users can disable the PLAIN mechanism for their authentication manager on versions 0.32 and later by adding "PLAIN" to the list of disabledMechanisms on their authentication provider object.<br/>Note that the SimpleLDAP authentication provider requires PLAIN and so this work around does not apply there.</p><p>Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">https://issues.apache.org/jira/browse/QPID-7271</a></p></div> |
+| CVE-2016-4432 | Important | 6.0.3 | Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_4432_details"><p>Versions Affected: Qpid Java Broker versions 6.0.2 and earlier</p><p>Description: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. An remote attacker can exploit this vulnerability to perform actions, without the need to specify valid credentials. For instance, unauthorised messages could be injected or messages stolen.<br/>The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts controlled.<br/>The vulnerability does not apply to the Broker's AMQP 1.0 support.<br/>The
vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections.</p><p>Resolution: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended).</p><p>Mitigation: If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">https://issues.apache.org/jira/browse/QPID-7257</a></p></div> |
+
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/jms/security-0-x.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md
new file mode 100644
index 0000000..ab9a94f
--- /dev/null
+++ b/input/components/jms/security-0-x.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10)
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/jms/security-1.0.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security-1.0.md b/input/components/jms/security-1.0.md
new file mode 100644
index 0000000..12e8c74
--- /dev/null
+++ b/input/components/jms/security-1.0.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## JMS Client (AMQP 1.0)
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/messaging-api/security.md
----------------------------------------------------------------------
diff --git a/input/components/messaging-api/security.md b/input/components/messaging-api/security.md
new file mode 100644
index 0000000..e36ad46
--- /dev/null
+++ b/input/components/messaging-api/security.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## Messaging API
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/index.html.in
----------------------------------------------------------------------
diff --git a/input/index.html.in b/input/index.html.in
index c9d6578..33f3cc5 100644
--- a/input/index.html.in
+++ b/input/index.html.in
@@ -57,7 +57,6 @@
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="http://www.apache.org/security/">Security</a></li>
</ul>
</section>
@@ -70,6 +69,7 @@
<li><a href="{{site_url}}/discussion.html">Discussion</a></li>
<li><a href="{{site_url}}/components/index.html">Components</a></li>
<li><a href="{{site_url}}/releases/index.html">Releases</a></li>
+ <li><a href="{{site_url}}/security.html">Security</a></li>
<li><a href="{{site_url}}/resources.html">More resources</a></li>
</ul>
</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/proton/security.md
----------------------------------------------------------------------
diff --git a/input/proton/security.md b/input/proton/security.md
new file mode 100644
index 0000000..4f4179a
--- /dev/null
+++ b/input/proton/security.md
@@ -0,0 +1,28 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## Proton
+
+TBD
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
new file mode 100644
index 0000000..26038f4
--- /dev/null
+++ b/input/security.md
@@ -0,0 +1,81 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+<section markdown="1">
+
+## Security Updates
+
+Lists of security problems fixed in released versions of the Apache
+Qpid are available for each Component separately:
+
+<div class="flex" markdown="1">
+<section markdown="1">
+
+ - [Java Broker]({{site_url}}/components/java-broker/security.html)
+ - [C++ Broker]({{site_url}}/components/cpp-broker/security.html)
+ - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html)
+
+</section>
+<section markdown="1">
+
+ - [Proton]({{site_url}}/proton/security.html)
+ - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html)
+ - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html)
+ - [Messaging API]({{site_url}}/components/messaging-api/security.html)
+
+</section>
+</div>
+
+</section>
+<section markdown="1">
+
+## Reporting New Security Problems with Apache Qpid
+
+We take a very active stance in eliminating security problems and
+denial of service attacks against Apache Qpid.
+
+We strongly encourage folks to report such problems to the private
+security mailing list of the ASF Security Team, before disclosing them
+in a public forum.
+
+Please see the page of the [ASF Security
+Team](https://www.apache.org/security/) for further information and
+contact information.
+
+The ASF Security Team cannot accept regular bug reports or other
+queries, we ask that you use our [bug reporting
+page]({{site_url}}/issues.html) for those.
+
+All mail sent to the ASF Security Team that does not relate to
+security problems in Apache software will be ignored.
+
+Questions about:
+
+ - how to configure Qpid securely
+ - if a vulnerability applies to your particular application
+ - obtaining further information on a published vulnerability
+ - availability of patches and/or new releases
+
+should be addressed to the users mailing list. Please see the [mailing
+lists page]({{site_url}}/discussion.html) for details of how to
+subscribe.
+
+</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/site.js
----------------------------------------------------------------------
diff --git a/input/site.js b/input/site.js
index e69de29..c4417ff 100644
--- a/input/site.js
+++ b/input/site.js
@@ -0,0 +1,11 @@
+function toggleDiv(toggleInfo) {
+ var div=document.getElementById(toggleInfo.divId);
+ var control=document.getElementById(toggleInfo.controlId);
+ if (div.style.display !== 'none') {
+ div.style.display = 'none';
+ control.innerHTML = toggleInfo.showMore;
+ } else {
+ div.style.display = 'block';
+ control.innerHTML = toggleInfo.showLess;
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[2/2] qpid-site git commit: populate some CVEs in the cpp-broker and
java-broker
Posted by lq...@apache.org.
populate some CVEs in the cpp-broker and java-broker
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/79eb6b38
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/79eb6b38
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/79eb6b38
Branch: refs/heads/asf-site
Commit: 79eb6b382ac8e90c9b9f0c5a209775b0eca74da6
Parents: 022695b
Author: Lorenz Quack <qu...@gmail.com>
Authored: Wed Jun 1 11:28:19 2016 +0100
Committer: Lorenz Quack <qu...@gmail.com>
Committed: Wed Jun 1 11:28:19 2016 +0100
----------------------------------------------------------------------
input/components/cpp-broker/security.md | 167 +++++++++++++++++++++++++-
input/components/java-broker/security.md | 90 +++++++++++++-
2 files changed, 250 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/79eb6b38/input/components/cpp-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md
index 1ec9682..8dd34d2 100644
--- a/input/components/cpp-broker/security.md
+++ b/input/components/cpp-broker/security.md
@@ -6,9 +6,9 @@
;; to you under the Apache License, Version 2.0 (the
;; "License"); you may not use this file except in compliance
;; with the License. You may obtain a copy of the License at
-;;
+;;
;; http://www.apache.org/licenses/LICENSE-2.0
-;;
+;;
;; Unless required by applicable law or agreed to in writing,
;; software distributed under the License is distributed on an
;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -23,6 +23,167 @@
## C++ Broker
-TBD
+<table>
+ <thead>
+ <tr>
+ <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>CVE-2015-0224</td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>qpidd can be crashed by unauthenticated user
+ <a id="CVE_2015_0224_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2015_0224_details">
+ <p>Description: In CVE-2015-0203 it was announced that
+ certain unexpected protocol sequences cause the broker
+ process to crash due to insufficient checking, but that
+ authentication could be used to restrict the exploitation
+ of this vulnerability.<br/> It has now been discovered
+ that in fact failing authentication does not necessarily
+ prevent exploitation of those reported
+ vulnerabilities.<br/> Further, it was stated that one of
+ the specific vulnerabilities was that the qpidd broker can
+ be crashed by sending it a sequence-set containing an
+ invalid range, where the start of the range is after the
+ end. This was an incorrect analysis of the vulnerability,
+ which is in fact caused by a sequence-set containing a
+ single range expressing the maximum possible gap.</p>
+
+ <p>Solution: A further patch is available that handles a
+ range expressing the maximum possible gap without assertion
+ (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>). The
+ fix will be included in subsequent releases, but can be
+ applied to 0.30 if desired.</p>
+
+ <p>Credit: This issue was discovered by G. Geshev from MWR
+ Labs</p>
+ </div>
+ </td>
+ </tr>
+
+ <tr>
+ <td>CVE-2015-0223</td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>anonymous access to qpidd cannot be prevented
+ <a id="CVE_2015_0223_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2015_0223_details">
+ <p>Description: An attacker can gain access to qpidd as an
+ anonymous user, even if the ANONYMOUS mechanism is
+ disallowed.</p>
+
+ <p>Solution: A patch is available
+ (<a href="https://issues.apache.org/jira/browse/QPID-6325">QPID-6325</a>)
+ that addresses this vulnerability. The fix will be included
+ in subsequent releases, but can be applied to 0.30 if
+ desired.</p>
+
+ <p>Common Vulnerability Score information: Authorization can
+ be used to restrict access to broker entities such as queue
+ and exchanges.</p>
+
+ <p>Credit: This issue was discovered by G. Geshev from MWR
+ Labs</p>
+ </div>
+ </td>
+ </tr>
+
+ <tr>
+ <td>CVE-2015-0203</td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>qpidd can be crashed by authenticated user
+ <a id="CVE_2015_0203_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2015_0203_details">
+ <p>Description: Certain unexpected protocol sequences cause
+ the broker process to crash due to insufficient
+ checking. Three distinct cases were identified as follows:<br/>
+ The AMQP 0-10 protocol defines a sequence set containing
+ id ranges. The qpidd broker can be crashed by sending it a
+ sequence-set containing an invalid range, where the start of
+ the range is after the end. This condition causes an
+ assertion, which causes the broker process to exit.<br/>
+ The AMQP 0-10 protocol defines header- and body- segments
+ that may follow certain commands. The only command for which
+ such segments are expected by qpidd is the message-transfer
+ command. If another command is sent that includes header
+ and/or body segments, this will cause a segmentation fault
+ in the broker process, causing it then to exit.<br/>
+ The AMQP 0-10 protocol defines a session-gap control that
+ can be sent on any established session. The qpidd broker
+ does not support this control and responds with an
+ appropriate error if requested on an established
+ session. However, if the control is sent before the session
+ is opened, the brokers handling causes an assertion which
+ results in the broker process exiting.</p>
+
+ <p>Solution: A patch is available
+ (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>)
+ that handles all these errors by sending an exception
+ control to the remote peer and leave the broker available to
+ all other users. The fix will be included in subsequent
+ releases, but can be applied to 0.30 if desired.</p>
+
+ <p>Common Vulnerability Score information: Authentication
+ can be used to restrict access to the broker. However any
+ authenticated user would be able to trigger this condition
+ which could therefore be considered a form of denial of
+ service.</p>
+
+ <p>Credit: This issue was discovered by G. Geshev from MWR
+ Labs</p>
+ </div>
+ </td>
+ </tr>
+
+ <tr>
+ <td>CVE-2014-3629</td>
+ <td>Low</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>qpidd can be induced to make http requests
+ <a id="CVE_2014_3629_details_toggle" href="javascript:toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2014_3629_details">
+ <p>Description: The XML exchange type is an optional,
+ dynamically loaded module for qpidd that allows creation of
+ exchanges that route messages based on evaluating an xquery
+ expression against them.<br/>On parsing a message sent to an
+ XML exchange, whose body is XML containing a link to a DTD,
+ the broker process will attempt to retrieve the referenced
+ resource(s). I.e. the broker process may be induced to make
+ outgoing HTTP connections by publishing a message containing
+ links to an XML exchange.</p>
+
+ <p>Solution:
+ A <a href="https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch">patch</a>
+ is available that prevents any retrieval of external
+ entities referenced in the XML. This will be included in
+ subsequent releases, but can be applied to 0.30 if
+ desired.</p>
+
+ <p>Common Vulnerability Score information: If the XML
+ exchange functionality is not required, the module in
+ question need not be loaded at all. This can be done either
+ by moving the module - named xml.so - out of the module
+ directory, or by setting the --no-module-dir option and
+ adding an explicit --load-module argument for every required
+ module.<br/>Where the XML exchange functionality is
+ required, authorisation may be enabled to prevent all but
+ trusted users from creating or publishing to xml
+ exchanges.</p>
+
+ <p>Credit: This issue was discovered by G. Geshev from MWR
+ Labs</p>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+</table>
</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/79eb6b38/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
index f09e819..8f3ad91 100644
--- a/input/components/java-broker/security.md
+++ b/input/components/java-broker/security.md
@@ -25,10 +25,92 @@
### CVEs
-| CVE-ID | Severity | Fixed in Version | Description |
-| ------------- |:---------:|:-----------------|:------------|
-| CVE-2016-3094 | Important | 6.0.3 | Denial of Service. <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_3094_details"><p>Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2</p><p>Description: A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwords being sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an unca
ught Exception.<br/>Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on non-TLS ports, but enabled on TLS connections).</p>Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or later. If this is not possible, users can disable the PLAIN mechanism for their authentication manager on versions 0.32 and later by adding "PLAIN" to the list of disabledMechanisms on their authentication provider object.<br/>Note that the SimpleLDAP authentication provider requires PLAIN and so this work around does not apply there.</p><p>Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">https://issues.apache.org/jira/browse/QPID-7271</a></p></div> |
-| CVE-2016-4432 | Important | 6.0.3 | Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_4432_details"><p>Versions Affected: Qpid Java Broker versions 6.0.2 and earlier</p><p>Description: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. An remote attacker can exploit this vulnerability to perform actions, without the need to specify valid credentials. For instance, unauthorised messages could be injected or messages stolen.<br/>The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts controlled.<br/>The vulnerability does not apply to the Broker's AMQP 1.0 support.<br/>The
vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections.</p><p>Resolution: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended).</p><p>Mitigation: If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">https://issues.apache.org/jira/browse/QPID-7257</a></p></div> |
+<table>
+ <thead>
+ <tr>
+ <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>CVE-2016-4432</td>
+ <td>Important</td>
+ <td>6.0.2 and earlier</td>
+ <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
+ <td>
+ Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2016_4432_details">
+ <p>Versions Affected: Qpid Java Broker versions 6.0.2 and
+ earlier</p>
+ <p>Description: The code responsible for handling incoming
+ AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw
+ that allows authentication to be bypassed. An remote
+ attacker can exploit this vulnerability to perform actions,
+ without the need to specify valid credentials. For
+ instance, unauthorised messages could be injected or
+ messages stolen.<br/>The vulnerability cannot be exploited
+ if the Access Control List (ACL) feature is enabled AND
+ access to all virtual hosts controlled.<br/>The
+ vulnerability does not apply to the Broker's AMQP 1.0
+ support.<br/>The vulnerability does not apply if the Broker
+ is configured to require SSL client authentication for all
+ messaging connections.</p>
+ <p>Resolution: Users should upgrade the Qpid Java Broker to
+ version 6.0.3 or later (recommended).</p>
+ <p>Mitigation: If upgrading is not possible, the
+ vulnerability can be mitigated using an ACL file containing
+ "ACCESS VIRTUALHOST" clauses that white-lists user access to
+ all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10
+ support is not required, the vulnerability can also be
+ mitigated by turning off these protocols at the Port
+ level.</p>
+ <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p>
+ </div>
+ </td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3094</td>
+ <td>Important</td>
+ <td>6.0.0, 6.0.1, 6.0.2</td>
+ <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
+ <td>
+ Denial of Service.
+ <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2016_3094_details">
+ <p>Versions Affected: Qpid Java Broker versions 6.0.0,
+ 6.0.1, and 6.0.2</p>
+ <p>Description: A malformed authentication attempt may cause
+ the broker to terminate. The Qpid Java Broker supports a
+ number of configurable authentication providers each
+ supporting various SASL mechanisms. Some mechanisms need (or
+ can be configured to accept) plain-text passwords being sent
+ to the Broker (using the SASL "PLAIN" mechanism). Where the
+ broker has been configured to allow plain-text passwords for
+ authentication it is possible for a client to send a
+ malformed authentication attempt which will lead the broker
+ to terminate due to an uncaught Exception.<br/> Brokers
+ configured to use authentication from the
+ "PlainPasswordFile", "SimpleLDAP", or
+ "Base64MD5PasswordFile" providers are vulnerable if the
+ "PLAIN" mechanism is enabled (by default "PLAIN" will be
+ disabled on non-TLS ports, but enabled on TLS
+ connections).</p>
+ <p>Mitigation: Users should upgrade their Qpid Java Broker
+ to version 6.0.3 or later. If this is not possible, users
+ can disable the PLAIN mechanism for their authentication
+ manager on versions 0.32 and later by adding "PLAIN" to the
+ list of disabledMechanisms on their authentication provider
+ object.<br/>Note that the SimpleLDAP authentication provider
+ requires PLAIN and so this work around does not apply
+ there.</p>
+ <p>Credit: This issue was discovered by Alex Szczuczko of
+ Red Hat, Inc.</p>
+ <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+</table>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org