Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 4134B200C85 for ; Mon, 15 May 2017 15:43:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3FC8A160BCE; Mon, 15 May 2017 13:43:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D0BE1160BC2 for ; Mon, 15 May 2017 15:43:19 +0200 (CEST) Received: (qmail 32853 invoked by uid 500); 15 May 2017 13:43:19 -0000 Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@qpid.apache.org Delivered-To: mailing list commits@qpid.apache.org Received: (qmail 32831 invoked by uid 99); 15 May 2017 13:43:19 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 May 2017 13:43:19 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id C3FD8DFB91; Mon, 15 May 2017 13:43:18 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jross@apache.org To: commits@qpid.apache.org Date: Mon, 15 May 2017 13:43:19 -0000 Message-Id: <5547ce0606284c1cb6743bf925fbde31@git.apache.org> In-Reply-To: <45713d9f789c4fa3bd5d8324ba68bb4b@git.apache.org> References: <45713d9f789c4fa3bd5d8324ba68bb4b@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] qpid-site git commit: QPID-7756: Give each CVE its own page; link to CVEs from component pages archived-at: Mon, 15 May 2017 13:43:22 -0000 http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4467.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4467.html b/content/cves/CVE-2016-4467.html new file mode 100644 index 0000000..48a6dc4 --- /dev/null +++ b/content/cves/CVE-2016-4467.html @@ -0,0 +1,207 @@ + + + + + CVE-2016-4467 - Apache Qpid™ + + + + + + + + + + + + + +

+ + +

+ + + + + +

+ + +

CVE-2016-4467

+ +

Severity

+ +

Medium

+ +

Affected components

+ +

Qpid Proton

+ +

Affected versions

+ +

0.8 through 0.13.0 inclusive

+ +

Fixed versions

+ +

0.13.1 and later

+ +

Description

+ +

Failure to verify that the server host name matches the certificate +host name on Windows.

+ +

Messaging applications using the Proton C library to provide SSL/TLS +authentication on Windows can falsely authenticate a server whose name +does not match the server name in the connection specifier. Proton C +bindings are affected to a greater or lesser degree depending on how +they use the underlying Proton C library.

+ +

In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been +specified as the verification mode and pn_ssl_set_peer_hostname() has +not been called at all or has been called with a NULL value for a +particular pn_ssl_t object.

+ +

In the Proton C++ binding, this will always happen unless the +application has separately specified a virtual_host name for an +SSL/TLS connection.

+ +

In the Proton Python and Ruby bindings, this will only happen if the +application has separately specified a NULL virtual_host name for an +SSL/TLS connection after creating the connection but before the +authentication step.

+ +

This issue only occurs on Windows versions of Proton that use the +default SChannel-based security layer.

+ +

In any of the preceding cases, it is possible for a man-in-the-middle +attacker to spoof an SSL/TLS server if they had a certificate that was +valid for any of the application's Certificate Authorities.

+ +

Resolution

+ +

Proton release 0.13.1 resolves this issue in the SChannel-based +security layer by obtaining a default non-NULL peer hostname from the +associated connection address when initialized and by always failing +hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified +along with a NULL peer hostname. This resolution matches the +associated behaviour of the OpenSSL-based security layer.

+ +

References

+ +

PROTON-1228 and +PROTON-1233

+ + +

+ + + +

+ Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4974.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-4974.html b/content/cves/CVE-2016-4974.html new file mode 100644 index 0000000..0f13648 --- /dev/null +++ b/content/cves/CVE-2016-4974.html @@ -0,0 +1,196 @@ + + + + + CVE-2016-4974 - Apache Qpid™ + + + + + + + + + + + + + +

+ + +

+ + + + + +

+ + +

CVE-2016-4974

+ +

Severity

+ +

Moderate

+ +

Affected components

+ +

Qpid JMS

+ +

Affected versions

+ +

0.9.0 and earlier

+ +

Fixed versions

+ +

0.10.0 and later

+ +

Description

+ +

Deserialization of untrusted input while using JMS ObjectMessage.

+ +

When applications call getObject() on a consumed JMS ObjectMessage +they are subject to the behaviour of any object deserialization during +the process of constructing the body to return. Unless the application +has taken outside steps to limit the deserialization process, they +can't protect against input that might try to make undesired use of +classes available on the application classpath that might be +vulnerable to exploitation. In order to exploit this vulnerability, an +attacker would need to be able to inject a suitably crafted AMQP +message containing the malicious JMS Object Message into the AMQP +message network. For this, the attacker would require valid +authentication credentials and suitable authorisation.

+ +

Mitigation

+ +

Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or +later, and use the new configuration options to whitelist trusted +content permitted for deserialization. When so configured, attempts to +deserialize input containing other content will be +prevented. Alternatively, users of older client releases may utilise +other means such as agent-based approaches to help govern content +permitted for deserialization in their application.

+ +

Credit

+ +

This issue was discovered by Matthias Kaiser of Code White +(www.code-white.com).

+ +

References

+ +

QPIDJMS-188

+ + +

+ + + +

+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-8741.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2016-8741.html b/content/cves/CVE-2016-8741.html new file mode 100644 index 0000000..6835235 --- /dev/null +++ b/content/cves/CVE-2016-8741.html @@ -0,0 +1,191 @@ + + + + + CVE-2016-8741 - Apache Qpid™ + + + + + + + + + + + + + +

+ + +

+ + + + + +

+ + +

CVE-2016-8741

+ +

Severity

+ +

Moderate

+ +

Affected components

+ +

Qpid Broker for Java

+ +

Affected versions

+ +

6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0

+ +

Fixed versions

+ +

6.0.6, 6.1.1

+ +

Description

+ +

Information Leakage.

+ +

The Qpid Broker for Java can be configured to use different so called +AuthenticationProviders to handle user authentication. Among the +choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider +types.

+ +

It was discovered that these AuthenticationProviders prematurely +terminate the SCRAM SASL negotiation if the provided user name does +not exist thus allowing remote attacker to determine the existence of +user accounts.

+ +

The Vulnerability does not apply to AuthenticationProviders other than +SCRAM-SHA-1 and SCRAM-SHA-256.

+ +

Mitigation

+ +

Users should upgrade the Qpid Broker for Java to version 6.0.6, +6.1.1, or later (recommended).

+ +

If upgrading is not possible, the vulnerability can be mitigated by +using an AuthenticationProvider other than SCRAM-SHA-1 and +SCRAM-SHA-256.

+ +

References

+ +

QPID-7599

+ + +

+ + + +

+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/template.html ---------------------------------------------------------------------- diff --git a/content/cves/template.html b/content/cves/template.html new file mode 100644 index 0000000..31e5664 --- /dev/null +++ b/content/cves/template.html @@ -0,0 +1,167 @@ + + + + + CVE-YYYY-NNNN - Apache Qpid™ + + + + + + + + + + + + + +

+ + +

+ + + + + +

+ + +

CVE-YYYY-NNNN

+ +

Severity

+ +

Important +Moderate +Low

+ +

Affected components

+ +

Affected versions

+ +

Fixed versions

+ +

Description

+ +

Resolution

+ +

Mitigation

+ +

Credit

+ +

References

+ + +

+ + + +

+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/index.html ---------------------------------------------------------------------- diff --git a/content/proton/index.html b/content/proton/index.html index 2513ad4..23d001b 100644 --- a/content/proton/index.html +++ b/content/proton/index.html @@ -202,6 +202,7 @@ platform, environment, or language. More about

Resources

Security
Contributing to Proton
Proton Messenger
Proton wiki pages

Security

- -

Proton

- - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + +

CVE-ID	Severity	Affected Versions	Fixed in Versions	Description
CVE-2016-4467	Medium	0.8 through 0.13.0 (inclusive)	0.13.1 and later	Failure to verify that the server host name matches the certificate host name on Windows - show more - - - Messaging applications using the Proton C library to - provide SSL/TLS authentication on Windows can falsely - authenticate a server whose name does not match the server - name in the connection specifier. Proton C bindings are - affected to a greater or lesser degree depending on how - they use the underlying Proton C library. - - In Proton C, this can only happen if - PN_SSL_VERIFY_PEER_NAME has been specified as the - verification mode and pn_ssl_set_peer_hostname() has not - been called at all or has been called with a NULL value for - a particular pn_ssl_t object. - - In the Proton C++ binding, this will always happen unless - the application has separately specified a virtual_host name - for an SSL/TLS connection. - - In the Proton Python and Ruby bindings, this will only - happen if the application has separately specified a NULL - virtual_host name for an SSL/TLS connection after creating - the connection but before the authentication step. - - This issue only occurs on Windows versions of Proton that - use the default SChannel-based security layer. - - In any of the preceding cases, it is possible for a - man-in-the-middle attacker to spoof an SSL/TLS server if - they had a certificate that was valid for any of the - application's Certificate Authorities. - - Resolution: Proton release 0.13.1 resolves this issue in - the SChannel-based security layer by obtaining a default - non-NULL peer hostname from the associated connection - address when initialized and by always failing hostname - verification if PN_SSL_VERIFY_PEER_NAME has been specified - along with a NULL peer hostname. This resolution matches - the associated behaviour of the OpenSSL-based security - layer. - - References: PROTON-1228 - and PROTON-1233. - -
CVE-2016-2166	Moderate	0.9 through 0.12.0 (inclusive)	0.12.1 and later	- Python bindings silently ignore request for amqps if SSL/TLS not supported. show more - - Versions Affected: Apache Qpid Proton python API starting - at 0.9 up to and including version 0.12.0. - Description: Messaging applications using the Proton - Python API to provision an SSL/TLS encrypted TCP connection - may actually instantiate a non-encrypted connection without - notice if SSL support is unavailable. This will result in - all messages being sent in the clear without the knowledge - of the user. This issue affects those applications - that use the Proton Reactor Python API to create SSL/TLS - connections. Specifically the proton.reactor.Connector, - proton.reactor.Container, and - proton.utils.BlockingConnection classes are vulnerable. - These classes can create an unencrypted connections if the - "amqps://" URL prefix is used. The issue only occurs - if the installed Proton libraries do not support SSL. This - would be the case if the libraries were built without SSL - support or the necessary SSL libraries are not present on - the system (e.g. OpenSSL in the case of *nix). To - check whether or not the Python API provides SSL support, - use the following console command: python -c "import - proton; print('%s' % 'SSL present' if proton.SSL.present() - else 'SSL NOT AVAILBLE')" In addition, the issue can - only occur if both ends of the connection connect without - SSL. This would be the case if the vulnerability is active - on both ends of the connection, or the non-affected endpoint - allows cleartext connections. - Resolution: Proton release 0.12.1 resolves this issue by - raising an SSLUnavailable exception when SSL is not - available and a SSL/TLS connection is requested via the - "amqps://" URL - prefix. A patch - is also available. - References: PROTON-1157 - Credit: This issue was discovered by M. Farrellee from Red Hat. - -
CVE-ID	Severity	Affected versions	Fixed versions	Summary
CVE-2016-4467	Medium	0.8 through 0.13.0 inclusive	0.13.1 and later	Failure to verify that the server host name matches the certificate host name on Windows
CVE-2016-2166	Moderate	0.9 through 0.12.0 inclusive	0.12.1 and later	Python bindings silently ignore request for amqps if SSL/TLS not supported

- -

See the main Security page for general information and details for other components.

See the main Security page for general +information and details for other components.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/security.html ---------------------------------------------------------------------- diff --git a/content/security.html b/content/security.html index e25e041..52e7661 100644 --- a/content/security.html +++ b/content/security.html @@ -118,7 +118,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>

Security Updates

Security updates

Details of security problems fixed in released versions of individual Apache Qpid components are detailed at:

@@ -129,7 +129,7 @@ Qpid components are detailed at:

@@ -137,8 +137,7 @@ Qpid components are detailed at:

@@ -150,7 +149,7 @@ Qpid components are detailed at:

Reporting New Security Problems with Apache Qpid

Reporting new security problems with Apache Qpid

We take a very active stance in eliminating security problems and denial of service attacks against Apache Qpid.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/cpp-broker/index.md ---------------------------------------------------------------------- diff --git a/input/components/cpp-broker/index.md b/input/components/cpp-broker/index.md index c0bbd7d..78bab7d 100644 --- a/input/components/cpp-broker/index.md +++ b/input/components/cpp-broker/index.md @@ -90,6 +90,7 @@ that stores, routes, and forwards messages using AMQP. ## Resources + - [Security](security.html) - [Qpid extensions to AMQP](https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp)

- -## C++ Broker - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CVE-ID	Severity	Affected Versions	Fixed in Versions	Description
CVE-2015-0224	Moderate	0.30 and earlier	0.32 and later	qpidd can be crashed by unauthenticated user - show more - - Description: In CVE-2015-0203 it was announced that - certain unexpected protocol sequences cause the broker - process to crash due to insufficient checking, but that - authentication could be used to restrict the exploitation - of this vulnerability. It has now been discovered - that in fact failing authentication does not necessarily - prevent exploitation of those reported - vulnerabilities. Further, it was stated that one of - the specific vulnerabilities was that the qpidd broker can - be crashed by sending it a sequence-set containing an - invalid range, where the start of the range is after the - end. This was an incorrect analysis of the vulnerability, - which is in fact caused by a sequence-set containing a - single range expressing the maximum possible gap. - - Solution: A further patch is available that handles a - range expressing the maximum possible gap without assertion - (QPID-6310). The - fix will be included in subsequent releases, but can be - applied to 0.30 if desired. - - Credit: This issue was discovered by G. Geshev from MWR - Labs - -
CVE-2015-0223	Moderate	0.30 and earlier	0.32 and later	anonymous access to qpidd cannot be prevented - show more - - Description: An attacker can gain access to qpidd as an - anonymous user, even if the ANONYMOUS mechanism is - disallowed. - - Solution: A patch is available - (QPID-6325) - that addresses this vulnerability. The fix will be included - in subsequent releases, but can be applied to 0.30 if - desired. - - Common Vulnerability Score information: Authorization can - be used to restrict access to broker entities such as queue - and exchanges. - - Credit: This issue was discovered by G. Geshev from MWR - Labs - -
CVE-2015-0203	Moderate	0.30 and earlier	0.32 and later	qpidd can be crashed by authenticated user - show more - - Description: Certain unexpected protocol sequences cause - the broker process to crash due to insufficient - checking. Three distinct cases were identified as follows: - The AMQP 0-10 protocol defines a sequence set containing - id ranges. The qpidd broker can be crashed by sending it a - sequence-set containing an invalid range, where the start of - the range is after the end. This condition causes an - assertion, which causes the broker process to exit. - The AMQP 0-10 protocol defines header- and body- segments - that may follow certain commands. The only command for which - such segments are expected by qpidd is the message-transfer - command. If another command is sent that includes header - and/or body segments, this will cause a segmentation fault - in the broker process, causing it then to exit. - The AMQP 0-10 protocol defines a session-gap control that - can be sent on any established session. The qpidd broker - does not support this control and responds with an - appropriate error if requested on an established - session. However, if the control is sent before the session - is opened, the brokers handling causes an assertion which - results in the broker process exiting. - - Solution: A patch is available - (QPID-6310) - that handles all these errors by sending an exception - control to the remote peer and leave the broker available to - all other users. The fix will be included in subsequent - releases, but can be applied to 0.30 if desired. - - Common Vulnerability Score information: Authentication - can be used to restrict access to the broker. However any - authenticated user would be able to trigger this condition - which could therefore be considered a form of denial of - service. - - Credit: This issue was discovered by G. Geshev from MWR - Labs - -
CVE-2014-3629	Low	0.30 and earlier	0.32 and later	qpidd can be induced to make http requests - show more - - Description: The XML exchange type is an optional, - dynamically loaded module for qpidd that allows creation of - exchanges that route messages based on evaluating an xquery - expression against them. On parsing a message sent to an - XML exchange, whose body is XML containing a link to a DTD, - the broker process will attempt to retrieve the referenced - resource(s). I.e. the broker process may be induced to make - outgoing HTTP connections by publishing a message containing - links to an XML exchange. - - Solution: - A patch - is available that prevents any retrieval of external - entities referenced in the XML. This will be included in - subsequent releases, but can be applied to 0.30 if - desired. - - Common Vulnerability Score information: If the XML - exchange functionality is not required, the module in - question need not be loaded at all. This can be done either - by moving the module - named xml.so - out of the module - directory, or by setting the --no-module-dir option and - adding an explicit --load-module argument for every required - module. Where the XML exchange functionality is - required, authorisation may be enabled to prevent all but - trusted users from creating or publishing to xml - exchanges. - - Credit: This issue was discovered by G. Geshev from MWR - Labs - -

- -

- -## Broker for Java - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CVE-ID	Severity	Affected Versions	Fixed in Versions	Description
CVE-2016-4432	Important	6.0.2 and earlier	6.0.3	- Authentication Bypass. show more - - Versions Affected: Apache Qpid Broker for Java versions 6.0.2 and - earlier - Description: The code responsible for handling incoming - AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw - that allows authentication to be bypassed. An remote - attacker can exploit this vulnerability to perform actions, - without the need to specify valid credentials. For - instance, unauthorised messages could be injected or - messages stolen. The vulnerability cannot be exploited - if the Access Control List (ACL) feature is enabled AND - access to all virtual hosts controlled. The - vulnerability does not apply to the Broker's AMQP 1.0 - support. The vulnerability does not apply if the Broker - is configured to require SSL client authentication for all - messaging connections. - Resolution: Users should upgrade the Apache Qpid Broker for Java to - version 6.0.3 or later (recommended). - Mitigation: If upgrading is not possible, the - vulnerability can be mitigated using an ACL file containing - "ACCESS VIRTUALHOST" clauses that white-lists user access to - all virtualhosts. If AMQP 0-8, 0-9, 0-91, and 0-10 - support is not required, the vulnerability can also be - mitigated by turning off these protocols at the Port - level. - References: QPID-7257 - -
CVE-2016-3094	Important	6.0.0, 6.0.1, 6.0.2	6.0.3	- Denial of Service. - show more - - Versions Affected: Apache Qpid Broker for Java versions 6.0.0, - 6.0.1, and 6.0.2 - Description: A malformed authentication attempt may cause - the broker to terminate. The Apache Qpid Broker for Java supports a - number of configurable authentication providers each - supporting various SASL mechanisms. Some mechanisms need (or - can be configured to accept) plain-text passwords being sent - to the Broker (using the SASL "PLAIN" mechanism). Where the - broker has been configured to allow plain-text passwords for - authentication it is possible for a client to send a - malformed authentication attempt which will lead the broker - to terminate due to an uncaught Exception. Brokers - configured to use authentication from the - "PlainPasswordFile", "SimpleLDAP", or - "Base64MD5PasswordFile" providers are vulnerable if the - "PLAIN" mechanism is enabled (by default "PLAIN" will be - disabled on non-TLS ports, but enabled on TLS - connections). - Mitigation: Users should upgrade their Apache Qpid Broker for Java - to version 6.0.3 or later. If this is not possible, users - can disable the PLAIN mechanism for their authentication - manager on versions 0.32 and later by adding "PLAIN" to the - list of disabledMechanisms on their authentication provider - object. Note that the SimpleLDAP authentication provider - requires PLAIN and so this work around does not apply - there. - Credit: This issue was discovered by Alex Szczuczko of - Red Hat, Inc. - References: QPID-7271 - -
CVE-2016-8741	Moderate	6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0	6.0.6, 6.1.1	- Information Leakage. - show more - - Versions Affected: Apache Qpid Broker for Java versions 6.0.1, - 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0 - Description: The Qpid Broker for Java can be configured to use different so - called AuthenticationProviders to handle user authentication. - Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 - AuthenticationProvider types. - - It was discovered that these AuthenticationProviders prematurely - terminate the SCRAM SASL negotiation if the provided user name - does not exist thus allowing remote attacker to determine the - existence of user accounts. - - The Vulnerability does not apply to AuthenticationProviders other - than SCRAM-SHA-1 and SCRAM-SHA-256. - Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6, - 6.1.1, or later (recommended). - If upgrading is not possible, the vulnerability can be mitigated - by using an AuthenticationProvider other than SCRAM-SHA-1 and - SCRAM-SHA-256. - References: QPID-7599 - -

- -

- -## AMQP 0-x JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10) - - - - - - - - - - - - - - - - -

CVE-ID	Severity	Affected Versions	Fixed in Versions	Description
CVE-2016-4974	Moderate	6.0.3 and earlier	6.0.4 and later	- Deserialization of untrusted input while using JMS ObjectMessage. show more - - Description: When applications call getObject() on a consumed JMS ObjectMessage they are - subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside - steps to limit the deserialization process, they can't protect against - input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation. - In order to exploit this vulnerability, an attacker would need - to be able to inject a suitably crafted AMQP message containing the - malicious JMS Object Message into the AMQP message network. For this, - the attacker would require valid authentication credentials and - suitable authorisation. - - Mitigation: Users using ObjectMessage can upgrade to Qpid - AMQP 0-x JMS client 6.0.4 or or later, and use the new - configuration options to whitelist trusted content permitted for - deserialization. When so configured, attempts to deserialize input - containing other content will be prevented. Alternatively, users of older - client releases may utilise other means such as agent-based approaches to help - govern content permitted for deserialization in their application. - - Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com) - - References: QPID-7323 - -

- -

+## AMQP 1.0 JMS -## JMS Client (AMQP 1.0) +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage | - - - - - - - - - - - - - - - -

CVE-ID	Severity	Affected Versions	Fixed in Versions	Description
CVE-2016-4974	Moderate	0.9.0 and earlier	0.10.0 and later	- Deserialization of untrusted input while using JMS ObjectMessage. show more - - Description: When applications call getObject() on a consumed JMS ObjectMessage they are - subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside - steps to limit the deserialization process, they can't protect against - input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation. - In order to exploit this vulnerability, an attacker would need - to be able to inject a suitably crafted AMQP message containing the - malicious JMS Object Message into the AMQP message network. For this, - the attacker would require valid authentication credentials and - suitable authorisation. +## AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10) - Mitigation: Users using ObjectMessage can upgrade to - Qpid JMS client 0.10.0 or later, and use the new - configuration options to whitelist trusted content permitted for - deserialization. When so configured, attempts to deserialize input - containing other content will be prevented. Alternatively, users of older - client releases may utilise other means such as agent-based approaches to help - govern content permitted for deserialization in their application. +\| CVE-ID \| Severity \| Affected versions \| Fixed versions \| Summary \| +\| ------ \| -------- \| ----------------- \| -------------- \| ------- \| +\| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) \| Moderate \| 0.9.0 and earlier \| 0.10.0 and later \| Deserialization of untrusted input while using JMS ObjectMessage \| - Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com) - - References: QPIDJMS-188 - -

- -

Project

Messaging APIs

Servers and tools

Resources

CVE-2016-4467

Severity

Affected components

Affected versions

Fixed versions

Description

Resolution

References

Project

Messaging APIs

Servers and tools

Resources

CVE-2016-4974

Severity

Affected components

Affected versions

Fixed versions

Description

Mitigation

Credit

References

Project

Messaging APIs

Servers and tools

Resources

CVE-2016-8741

Severity

Affected components

Affected versions

Fixed versions

Description

Mitigation

References

Project

Messaging APIs

Servers and tools

Resources

CVE-YYYY-NNNN

Severity

Affected components

Affected versions

Fixed versions

Description

Resolution

Mitigation

Credit

References

Resources

Security

Proton

Security Updates

Security updates

Reporting New Security Problems with Apache Qpid

Reporting new security problems with Apache Qpid