Apache Qpid 0.30 Denial Of Service

2015.01.14
Credit: G. Geshev
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-0203
CWE: CWE-19


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Apache Software Foundation - Security Advisory Apache Qpid's qpidd can be crashed by authenticated user CVE-2015-0203 CVS: 5.2 Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Qpid's qpidd up to and including version 0.30 Description: Certain unexpected protocol sequences cause the broker process to crash due to insufficient checking. Three distinct cases were identified as follows: The AMQP 0-10 protocol defines a sequence set containing id ranges. The qpidd broker can be crashed by sending it a sequence-set containing an invalid range, where the start of the range is after the end. This condition causes an assertion, which causes the broker process to exit. The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit. The AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting. Solution: A patch is available (https://issues.apache.org/jira/browse/QPID-6310) that handles all these errors by sending an exception control to the remote peer and leave the broker available to all other users. The fix will be included in subsequent releases, but can be applied to 0.30 if desired. Common Vulnerability Score information: Authentication can be used to restrict access to the broker. However any authenticated user would be able to trigger this condition which could therefore be considered a form of denial of service. Credit: This issue was discovered by G. Geshev from MWR Labs Common Vulnerability Score information: CVSS Base Score 6.3 Impact Subscore 6.9 Exploitability Subscore 6.8 CVSS Temporal Score 5.2 CVSS Environmental Score Not Defined Modified Impact Subscore Not Defined Overall CVSS Score 5.2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top