http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4467.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4467.html b/content/cves/CVE-2016-4467.html new file mode 100644 index 0000000..48a6dc4 --- /dev/null +++ b/content/cves/CVE-2016-4467.html @@ -0,0 +1,207 @@ + + + + + CVE-2016-4467 - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+ + +
+

CVE-2016-4467

+ +

Severity

+ +

Medium

+ +

Affected components

+ +

Qpid Proton

+ +

Affected versions

+ +

0.8 through 0.13.0 inclusive

+ +

Fixed versions

+ +

0.13.1 and later

+ +

Description

+ +

Failure to verify that the server host name matches the certificate +host name on Windows.

+ +

Messaging applications using the Proton C library to provide SSL/TLS +authentication on Windows can falsely authenticate a server whose name +does not match the server name in the connection specifier. Proton C +bindings are affected to a greater or lesser degree depending on how +they use the underlying Proton C library.

+ +

In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been +specified as the verification mode and pn_ssl_set_peer_hostname() has +not been called at all or has been called with a NULL value for a +particular pn_ssl_t object.

+ +

In the Proton C++ binding, this will always happen unless the +application has separately specified a virtual_host name for an +SSL/TLS connection.

+ +

In the Proton Python and Ruby bindings, this will only happen if the +application has separately specified a NULL virtual_host name for an +SSL/TLS connection after creating the connection but before the +authentication step.

+ +

This issue only occurs on Windows versions of Proton that use the +default SChannel-based security layer.

+ +

In any of the preceding cases, it is possible for a man-in-the-middle +attacker to spoof an SSL/TLS server if they had a certificate that was +valid for any of the application's Certificate Authorities.

+ +

Resolution

+ +

Proton release 0.13.1 resolves this issue in the SChannel-based +security layer by obtaining a default non-NULL peer hostname from the +associated connection address when initialized and by always failing +hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified +along with a NULL peer hostname. This resolution matches the +associated behaviour of the OpenSSL-based security layer.

+ +

References

+ +

PROTON-1228 and +PROTON-1233

+ + +
+ + + + +
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4974.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4974.html b/content/cves/CVE-2016-4974.html new file mode 100644 index 0000000..0f13648 --- /dev/null +++ b/content/cves/CVE-2016-4974.html @@ -0,0 +1,196 @@ + + + + + CVE-2016-4974 - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+ + +
+

CVE-2016-4974

+ +

Severity

+ +

Moderate

+ +

Affected components

+ +

Qpid JMS

+ +

Affected versions

+ +

0.9.0 and earlier

+ +

Fixed versions

+ +

0.10.0 and later

+ +

Description

+ +

Deserialization of untrusted input while using JMS ObjectMessage.

+ +

When applications call getObject() on a consumed JMS ObjectMessage +they are subject to the behaviour of any object deserialization during +the process of constructing the body to return. Unless the application +has taken outside steps to limit the deserialization process, they +can't protect against input that might try to make undesired use of +classes available on the application classpath that might be +vulnerable to exploitation. In order to exploit this vulnerability, an +attacker would need to be able to inject a suitably crafted AMQP +message containing the malicious JMS Object Message into the AMQP +message network. For this, the attacker would require valid +authentication credentials and suitable authorisation.

+ +

Mitigation

+ +

Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or +later, and use the new configuration options to whitelist trusted +content permitted for deserialization. When so configured, attempts to +deserialize input containing other content will be +prevented. Alternatively, users of older client releases may utilise +other means such as agent-based approaches to help govern content +permitted for deserialization in their application.

+ +

Credit

+ +

This issue was discovered by Matthias Kaiser of Code White +(www.code-white.com).

+ +

References

+ +

QPIDJMS-188

+ + +
+ + + + +
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-8741.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-8741.html b/content/cves/CVE-2016-8741.html new file mode 100644 index 0000000..6835235 --- /dev/null +++ b/content/cves/CVE-2016-8741.html @@ -0,0 +1,191 @@ + + + + + CVE-2016-8741 - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+ + +
+

CVE-2016-8741

+ +

Severity

+ +

Moderate

+ +

Affected components

+ +

Qpid Broker for Java

+ +

Affected versions

+ +

6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0

+ +

Fixed versions

+ +

6.0.6, 6.1.1

+ +

Description

+ +

Information Leakage.

+ +

The Qpid Broker for Java can be configured to use different so called +AuthenticationProviders to handle user authentication. Among the +choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider +types.

+ +

It was discovered that these AuthenticationProviders prematurely +terminate the SCRAM SASL negotiation if the provided user name does +not exist thus allowing remote attacker to determine the existence of +user accounts.

+ +

The Vulnerability does not apply to AuthenticationProviders other than +SCRAM-SHA-1 and SCRAM-SHA-256.

+ +

Mitigation

+ +

Users should upgrade the Qpid Broker for Java to version 6.0.6, +6.1.1, or later (recommended).

+ +

If upgrading is not possible, the vulnerability can be mitigated by +using an AuthenticationProvider other than SCRAM-SHA-1 and +SCRAM-SHA-256.

+ +

References

+ +

QPID-7599

+ + +
+ + + + +
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/template.html ---------------------------------------------------------------------- diff --git a/content/cves/template.html b/content/cves/template.html new file mode 100644 index 0000000..31e5664 --- /dev/null +++ b/content/cves/template.html @@ -0,0 +1,167 @@ + + + + + CVE-YYYY-NNNN - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+ + +
+

CVE-YYYY-NNNN

+ +

Severity

+ +

Important +Moderate +Low

+ +

Affected components

+ +

Affected versions

+ +

Fixed versions

+ +

Description

+ +

Resolution

+ +

Mitigation

+ +

Credit

+ +

References

+ + +
+ + + + +
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/index.html ---------------------------------------------------------------------- diff --git a/content/proton/index.html b/content/proton/index.html index 2513ad4..23d001b 100644 --- a/content/proton/index.html +++ b/content/proton/index.html @@ -202,6 +202,7 @@ platform, environment, or language. More about

Resources