You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Keith Wall <kw...@apache.org> on 2017/11/30 17:15:43 UTC
[SECURITY] [CVE-2017-15701] Apache Qpid Broker-J Denial of Service Vulnerability
CVE-2017-15701: Apache Qpid Broker-J denial of service vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4
Description:
The broker does not properly enforce a maximum frame size in AMQP 1.0
frames. A remote unauthenticated attacker could exploit this to cause
the broker to exhaust all available memory and eventually terminate.
Older AMQP protocols are not affected.
Resolution:
Users who have AMQP 1.0 support enabled (default) should upgrade their
Qpid Broker-J to version 6.1.5 or later.
Mitigation:
If upgrading the broker is not possible, users can choose to disable
AMQP 1.0 by either setting the system property
"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
excluding "AMQP_1_0" from the supported protocol list on all AMQP
ports, or by removing the AMQP 1.0 related jar files from the Java
classpath.
References:
https://issues.apache.org/jira/browse/QPID-7947
Re: [SECURITY] [CVE-2017-15701] Apache Qpid Broker-J Denial of
Service Vulnerability
Posted by Keith Wall <kw...@apache.org>.
Sebb
On 1 December 2017 at 09:01, sebb <se...@gmail.com> wrote:
> From the peanut gallery:
>
> I would be helpful to include a link to the download page and the main
> website in announcements such as these.
>
Thanks for the feedback. I try to adhere to the guidance[1] provided
by the Apache Security Team. It suggests a model to follow when
making security announcements so that there is uniformity across the
projects.
I ought to have provided a link to Apache Qpid's security page which
lists the CVE [2] etc. I will endeavour to do in future.
[1] https://www.apache.org/security/committers.html
[2] https://qpid.apache.org/components/broker-j/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: [SECURITY] [CVE-2017-15701] Apache Qpid Broker-J Denial of
Service Vulnerability
Posted by sebb <se...@gmail.com>.
From the peanut gallery:
I would be helpful to include a link to the download page and the main
website in announcements such as these.
On 30 November 2017 at 17:15, Keith Wall <kw...@apache.org> wrote:
> CVE-2017-15701: Apache Qpid Broker-J denial of service vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4
>
> Description:
>
> The broker does not properly enforce a maximum frame size in AMQP 1.0
> frames. A remote unauthenticated attacker could exploit this to cause
> the broker to exhaust all available memory and eventually terminate.
> Older AMQP protocols are not affected.
>
> Resolution:
>
> Users who have AMQP 1.0 support enabled (default) should upgrade their
> Qpid Broker-J to version 6.1.5 or later.
>
> Mitigation:
>
> If upgrading the broker is not possible, users can choose to disable
> AMQP 1.0 by either setting the system property
> "qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
> excluding "AMQP_1_0" from the supported protocol list on all AMQP
> ports, or by removing the AMQP 1.0 related jar files from the Java
> classpath.
>
> References:
>
> https://issues.apache.org/jira/browse/QPID-7947
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org