qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oru...@apache.org
Subject qpid-site git commit: QPID-8094: Update site for Qpid Broker-J release 7.0.1
Date Thu, 08 Feb 2018 23:46:06 GMT
Repository: qpid-site
Updated Branches:
  refs/heads/asf-site 565d29bd0 -> 5432000ac


QPID-8094: Update site for Qpid Broker-J release 7.0.1


Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/5432000a
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/5432000a
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/5432000a

Branch: refs/heads/asf-site
Commit: 5432000ac2a9aa9c9d446d10420b0526e8c9cc5b
Parents: 565d29b
Author: Alex Rudyy <orudyy@apache.org>
Authored: Thu Feb 8 23:45:24 2018 +0000
Committer: Alex Rudyy <orudyy@apache.org>
Committed: Thu Feb 8 23:45:24 2018 +0000

----------------------------------------------------------------------
 input/components/broker-j/security.md           |  1 +
 input/cves/CVE-2018-1298.md                     | 82 ++++++++++++++++++++
 .../qpid-broker-j-7.0.1/release-notes.md        |  6 +-
 3 files changed, 87 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5432000a/input/components/broker-j/security.md
----------------------------------------------------------------------
diff --git a/input/components/broker-j/security.md b/input/components/broker-j/security.md
index 501e1c3..2635c6c 100644
--- a/input/components/broker-j/security.md
+++ b/input/components/broker-j/security.md
@@ -26,6 +26,7 @@
 | [CVE-2016-8741]({{site_url}}/cves/CVE-2016-8741.html) | Moderate | 6.0.1, 6.0.2, 6.0.3,
6.0.4, 6.0.5, and 6.1.0 | 6.0.6, 6.1.1 | Information leakage |
 | [CVE-2017-15701]({{site_url}}/cves/CVE-2017-15701.html) | Important | 6.1.0, 6.1.1, 6.1.2,
6.1.3, and 6.1.4 | 6.1.5 | Denial of Service |
 | [CVE-2017-15702]({{site_url}}/cves/CVE-2017-15702.html) | Important | 0.18, 0.20, 0.22,
0.24, 0.26, 0.28, 0.30, and 0.32 | 6.0.0 | Authentication vulnerability |
+| [CVE-2018-1298]({{site_url}}/cves/CVE-2018-1298.html) | Important | 7.0.0 | 7.0.1 | Denial
of Service |
 
 See the main [security]({{site_url}}/security.html) page for general
 information and details for other components.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5432000a/input/cves/CVE-2018-1298.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2018-1298.md b/input/cves/CVE-2018-1298.md
new file mode 100644
index 0000000..e7482b4
--- /dev/null
+++ b/input/cves/CVE-2018-1298.md
@@ -0,0 +1,82 @@
+# CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2
SASL mechanisms
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+7.0.0
+
+## Fixed versions
+
+[7.0.1]({{site_url}}/releases/qpid-broker-j-7.0.1/index.html)
+
+## Description
+
+A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0
+in functionality for authentication of connections for AMQP protocols 0-8, 0-9,
+0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability
+allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and
+HTTP connections are not affected.
+
+An authentication of incoming AMQP connections in Apache Qpid Broker-J is
+performed by special entities called "Authentication Providers". Each
+Authentication Provider can support several SASL mechanisms
+which are offered to the connecting clients as part of SASL negotiation process.
+The client chooses the most appropriate SASL mechanism for authentication.
+
+Authentication Providers of following types supports PLAIN SASL mechanism:
+
+ - Plain
+ - PlainPasswordFile
+ - SimpleLDAP
+ - Base64MD5PasswordFile
+ - MD5
+ - SCRAM-SHA-256
+ - SCRAM-SHA-1
+
+XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.
+
+If an AMQP port is configured with any of these Authentication Providers, the
+Broker may be vulnerable.
+
+## Resolution
+
+Users of Broker-J version 7.0.0 utilizing affected Authentication Providers on
+AMQP ports with support for AMQP 0-8, 0-9, 0-91 or 0-10 must upgrade to version
+7.0.1 or later.
+
+## Mitigation
+
+If upgrade of the broker is not possible, the SimpleLDAP and OAuth2 must be
+replaced with an alternative provider. For the remaining affected types of
+Authentication Providers the PLAIN SASL mechanism must be disabled by including
+"PLAIN" in the "disabledMechanisms" attribute of the provider. The changes can
+be made either directly in the broker configuration file or via management
+interfaces (for example, REST API]). A broker restart is required for the
+changes to take effect. Here is a template for curl utility call to disable
+PLAIN mechanism using REST API:
+
+```sh
+curl --user <user-name> -X POST  -d '{"disabledMechanisms":["PLAIN"]}' https://<broker
host>:<broker https port>/api/latest/authenticationprovider/<provider name>
+```
+
+Alternatively, when only AMQP 1.0 protocol is used, the support for older AMQP
+protocols can be removed on the AMQP port. It can be done either from Broker-J
+Web Management Console or via management interfaces. A broker restart is
+required for the changes to take effect. Here is a template for curl REST API
+call to restrict port supported AMQP protocols to AMQP 1.0:
+
+```sh
+curl --user <user-name> -X POST  -d '{"protocols":["AMQP_1_0"]}' https://<broker
host>:<broker https port>/api/latest/port/<port name>
+```
+
+## References
+
+ - [QPID-8046](https://issues.apache.org/jira/browse/QPID-8046)
+ - [REST API](https://qpid.apache.org/releases/qpid-broker-j-7.0.0/book/Java-Broker-Management-Channel-REST-API.html)

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5432000a/input/releases/qpid-broker-j-7.0.1/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-broker-j-7.0.1/release-notes.md b/input/releases/qpid-broker-j-7.0.1/release-notes.md
index 19bfb55..6c54ae0 100644
--- a/input/releases/qpid-broker-j-7.0.1/release-notes.md
+++ b/input/releases/qpid-broker-j-7.0.1/release-notes.md
@@ -22,6 +22,8 @@
 Qpid Broker-J is a message broker written in Java that stores, routes,
 and forwards messages using AMQP.
 
+**Note**: This release addresses security vulnerability CVE-2018-1298.
+
 For more information about this release, including download links and
 documentation, see the [release overview](index.html).
 
@@ -41,7 +43,7 @@ documentation, see the [release overview](index.html).
  - [QPID-8030](https://issues.apache.org/jira/browse/QPID-8030) - [Broker-J] Message conversion
from 0-8 to 1.0 should preserve binary correlationId
  - [QPID-8040](https://issues.apache.org/jira/browse/QPID-8040) - [Broker-J] Uncaught java.nio.channels.CancelledKeyException
seen during Broker shutdown
  - [QPID-8042](https://issues.apache.org/jira/browse/QPID-8042) - [Broker-J][AMQP 1.0] Support
for pipelined connection open containing SASL frames broken
- - [QPID-8046](https://issues.apache.org/jira/browse/QPID-8046) - [Broker-J] Allow SASL mechanisms
PLAIN and XOAUTH2 to not require initial response
+ - [QPID-8046](https://issues.apache.org/jira/browse/QPID-8046) - [CVE-2018-1298][Broker-J]
Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial response
  - [QPID-8047](https://issues.apache.org/jira/browse/QPID-8047) - [Broker-J][AMQP 0-10] NPE
on receiving session.detach for unknown session
  - [QPID-8049](https://issues.apache.org/jira/browse/QPID-8049) - Non-free ICC profiles
  - [QPID-8058](https://issues.apache.org/jira/browse/QPID-8058) - [Broker-J][AMQP 1.0] Broker
does not respond to drain request from consumer of management temporary destination
@@ -58,4 +60,4 @@ documentation, see the [release overview](index.html).
 
 ## Tasks
 
- - [QPID-8094](https://issues.apache.org/jira/browse/QPID-8094) - [Broker-J] Release Qpid
Broker-J 7.0.1
\ No newline at end of file
+ - [QPID-8094](https://issues.apache.org/jira/browse/QPID-8094) - [Broker-J] Release Qpid
Broker-J 7.0.1


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message