[SECURITY] CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands

[Alex Rudyy <or...@apache.org>]

CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP
0-8 to 0-10 commands

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 6.0.0-7.0.6 (inclusive), 7.1.0

Description:

A Denial of Service vulnerability [1] was found in Apache Qpid Broker-J
versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
attacker to crash the broker instance by sending specially crafted
commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
0-10).

Resolution:

Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid

Broker-J versions 7.0.7 or 7.1.1 or later.

Mitigation:

If upgrade of the broker is not possible, the support for AMQP protocols
0-8...0-10 can be disabled on AMQP ports. The change can be made either
directly in the broker configuration file or by using management interfaces.

An example of REST API call restricting AMQP port to support only AMQP 1.0
using curl utility is provided below:

curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' \
https://<broker host>:<broker port>/api/latest/port/<port name>

References:
[1] https://issues.apache.org/jira/browse/QPID-8273

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org