You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Ganesh Murthy <gm...@apache.org> on 2018/02/13 20:09:57 UTC
[SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of
Service Vulnerability when specially crafted frame is sent to the Router
CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service
Vulnerability when specially crafted frame is sent to the Router
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Versions 0.7.0 and 0.8.0
Description: A Denial of Service vulnerability was found in Apache
Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a
remote user must be able to establish an AMQP connection to the Qpid
Dispatch Router and send a specifically crafted AMQP frame which will
cause it to segfault and shut down.
Resolution:
Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to
version 0.8.1 or 1.0.0 and later.
Mitigation:
Any user who is able to connect to the Router may exploit the
vulnerability. If anonymous authentication is enabled then any remote
user with network access the Router is a possible attacker. The number
of possible attackers is reduced if the Router is configured to
require authentication. Then an attacker needs to have authentic
credentials which are used to create a connection to the Router before
proceeding to exploit this vulnerability.
[1] - https://issues.apache.org/jira/browse/DISPATCH-924