You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2017/11/30 17:21:39 UTC
qpid-site git commit: Add CVE-2017-15701 and CVE-2017-15702 to
Broker-J security page
Repository: qpid-site
Updated Branches:
refs/heads/asf-site 030c23a69 -> 6bfb1bf48
Add CVE-2017-15701 and CVE-2017-15702 to Broker-J security page
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/6bfb1bf4
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/6bfb1bf4
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/6bfb1bf4
Branch: refs/heads/asf-site
Commit: 6bfb1bf48c18d6fe5d263f3ad6a323f3fb3991f2
Parents: 030c23a
Author: Lorenz Quack <lq...@apache.org>
Authored: Fri Nov 24 10:09:48 2017 +0000
Committer: Keith Wall <kw...@apache.org>
Committed: Thu Nov 30 17:12:35 2017 +0000
----------------------------------------------------------------------
input/components/broker-j/security.md | 2 ++
input/cves/CVE-2017-15701.md | 43 ++++++++++++++++++++++++++
input/cves/CVE-2017-15702.md | 49 ++++++++++++++++++++++++++++++
3 files changed, 94 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/components/broker-j/security.md
----------------------------------------------------------------------
diff --git a/input/components/broker-j/security.md b/input/components/broker-j/security.md
index e34759b..501e1c3 100644
--- a/input/components/broker-j/security.md
+++ b/input/components/broker-j/security.md
@@ -24,6 +24,8 @@
| [CVE-2016-3094]({{site_url}}/cves/CVE-2016-3094.html) | Important | 6.0.0, 6.0.1, and 6.0.2 | 6.0.3 | Denial of service |
| [CVE-2016-4432]({{site_url}}/cves/CVE-2016-4432.html) | Important | 6.0.2 and earlier | 6.0.3 | Authentication bypass |
| [CVE-2016-8741]({{site_url}}/cves/CVE-2016-8741.html) | Moderate | 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0 | 6.0.6, 6.1.1 | Information leakage |
+| [CVE-2017-15701]({{site_url}}/cves/CVE-2017-15701.html) | Important | 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4 | 6.1.5 | Denial of Service |
+| [CVE-2017-15702]({{site_url}}/cves/CVE-2017-15702.html) | Important | 0.18, 0.20, 0.22, 0.24, 0.26, 0.28, 0.30, and 0.32 | 6.0.0 | Authentication vulnerability |
See the main [security]({{site_url}}/security.html) page for general
information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/cves/CVE-2017-15701.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2017-15701.md b/input/cves/CVE-2017-15701.md
new file mode 100644
index 0000000..b6c1889
--- /dev/null
+++ b/input/cves/CVE-2017-15701.md
@@ -0,0 +1,43 @@
+# CVE-2017-15701
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4
+
+## Fixed versions
+
+[6.1.5]({{site_url}}/releases/qpid-java-6.1.5/index.html)
+
+## Description
+
+The broker does not properly enforce a maximum frame size in AMQP 1.0
+frames. A remote unauthenticated attacker could exploit this to cause
+the broker to exhaust all available memory and eventually terminate.
+Older AMQP protocols are not affected.
+
+## Resolution
+
+Users who have AMQP 1.0 support enabled (default) should upgrade their
+Qpid Broker-J to version 6.1.5 or later (recommended).
+
+## Mitigation
+
+If upgrading the broker is not possible, users can choose to disable
+AMQP 1.0 by either setting the system property
+"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
+excluding "AMQP_1_0" from the supported protocol list on all AMQP
+ports, or by removing the AMQP 1.0 related jar files from the Java
+classpath.
+
+## References
+
+[QPID-7947](https://issues.apache.org/jira/browse/QPID-7947)
+
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/cves/CVE-2017-15702.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2017-15702.md b/input/cves/CVE-2017-15702.md
new file mode 100644
index 0000000..11a4eab
--- /dev/null
+++ b/input/cves/CVE-2017-15702.md
@@ -0,0 +1,49 @@
+# CVE-2017-15702
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+0.18 through 0.32
+
+## Fixed versions
+
+[6.0.0]({{site_url}}/releases/qpid-java-6.0.0/index.html)
+
+## Description
+
+If the broker is configured with different authentication providers on
+different ports one of which is an HTTP port, then the broker can be
+tricked by a remote unauthenticated attacker connecting to the HTTP
+port into using an authentication provider that was configured on a
+different port. The attacker still needs valid credentials with the
+authentication provider on the spoofed port. This becomes an issue
+when the spoofed port has weaker authentication protection (e.g.,
+anonymous access, default accounts) and is normally protected by
+firewall rules or similar which can be circumvented by this
+vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer
+are not affected.
+
+## Resolution
+
+Users of affected versions who have more than one port and different
+authentication providers configured on them should upgrade to a
+later unaffected version (recommended).
+
+## Mitigation
+
+If upgrading the broker is not possible then users should ensure all
+their authentication providers offer an equal amount of protection.
+In particular, authentication providers with default accounts and
+those with anonymous access should be removed if other providers in
+use require credentials.
+
+## References
+
+[QPID-8039](https://issues.apache.org/jira/browse/QPID-8039)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org