qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oru...@apache.org
Subject qpid-site git commit: QPID-8094: Update site for Qpid Broker-J release 7.0.1
Date Thu, 08 Feb 2018 23:51:29 GMT
Repository: qpid-site
Updated Branches:
  refs/heads/asf-site 5432000ac -> faf4c8ce0


QPID-8094: Update site for Qpid Broker-J release 7.0.1


Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/faf4c8ce
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/faf4c8ce
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/faf4c8ce

Branch: refs/heads/asf-site
Commit: faf4c8ce05a2c8e84afe75109548c9c630c2d60c
Parents: 5432000
Author: Alex Rudyy <orudyy@apache.org>
Authored: Thu Feb 8 23:50:32 2018 +0000
Committer: Alex Rudyy <orudyy@apache.org>
Committed: Thu Feb 8 23:50:32 2018 +0000

----------------------------------------------------------------------
 content/components/broker-j/security.html       |   7 +
 content/cves/CVE-2018-1298.html                 | 230 +++++++++++++++++++
 .../qpid-broker-j-7.0.1/release-notes.html      |   4 +-
 3 files changed, 240 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/components/broker-j/security.html
----------------------------------------------------------------------
diff --git a/content/components/broker-j/security.html b/content/components/broker-j/security.html
index 358c957..636a6b4 100644
--- a/content/components/broker-j/security.html
+++ b/content/components/broker-j/security.html
@@ -162,6 +162,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
   <td>6.0.0</td>
   <td>Authentication vulnerability</td>
 </tr>
+<tr>
+  <td><a href="/cves/CVE-2018-1298.html">CVE-2018-1298</a></td>
+  <td>Important</td>
+  <td>7.0.0</td>
+  <td>7.0.1</td>
+  <td>Denial of Service</td>
+</tr>
 </tbody>
 </table>
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/cves/CVE-2018-1298.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2018-1298.html b/content/cves/CVE-2018-1298.html
new file mode 100644
index 0000000..4855226
--- /dev/null
+++ b/content/cves/CVE-2018-1298.html
@@ -0,0 +1,230 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+  <head>
+    <title>CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with
PLAIN and XOAUTH2 SASL mechanisms - Apache Qpid&#8482;</title>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+    <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+    <script type="text/javascript">var _deferredFunctions = [];</script>
+    <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+    <!--[if lte IE 8]>
+      <link rel="stylesheet" href="/ie.css" type="text/css"/>
+      <script type="text/javascript" src="/html5shiv.js"></script>
+    <![endif]-->
+
+    <!-- Redirects for `go get` and godoc.org -->
+    <meta name="go-import"
+          content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+    <meta name="go-source"
+          content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+  </head>
+  <body>
+    <div id="-content">
+      <div id="-top" class="panel">
+        <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+        <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+        <ul id="-global-navigation">
+          <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
+          <li><a href="/documentation.html">Documentation</a></li>
+          <li><a href="/download.html">Download</a></li>
+          <li><a href="/discussion.html">Discussion</a></li>
+        </ul>
+      </div>
+
+      <div id="-menu" class="panel" style="display: none;">
+        <div class="flex">
+          <section>
+            <h3>Project</h3>
+
+            <ul>
+              <li><a href="/overview.html">Overview</a></li>
+              <li><a href="/components/index.html">Components</a></li>
+              <li><a href="/releases/index.html">Releases</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Messaging APIs</h3>
+
+            <ul>
+              <li><a href="/proton/index.html">Qpid Proton</a></li>
+              <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+              <li><a href="/components/messaging-api/index.html">Qpid Messaging
API</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Servers and tools</h3>
+
+            <ul>
+              <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+              <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+              <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Resources</h3>
+
+            <ul>
+              <li><a href="/dashboard.html">Dashboard</a></li>
+              <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+              <li><a href="/resources.html">More resources</a></li>
+            </ul>
+          </section>
+        </div>
+      </div>
+
+      <div id="-search" class="panel" style="display: none;">
+        <form action="http://www.google.com/search" method="get">
+          <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+          <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+          <button type="submit">Search</button>
+          <a href="/search.html">More ways to search</a>
+        </form>
+      </div>
+
+      <div id="-middle" class="panel">
+        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-1298:
Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</li></ul>
+
+        <div id="-middle-content">
+          <h1 id="cve-2018-1298-apache-qpid-broker-j-denial-of-service-vulnerability-with-plain-and-xoauth2-sasl-mechanisms">CVE-2018-1298:
Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>7.0.0</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-broker-j-7.0.1/index.html">7.0.1</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0
+in functionality for authentication of connections for AMQP protocols 0-8, 0-9,
+0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability
+allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and
+HTTP connections are not affected.</p>
+
+<p>An authentication of incoming AMQP connections in Apache Qpid Broker-J is
+performed by special entities called "Authentication Providers". Each
+Authentication Provider can support several SASL mechanisms
+which are offered to the connecting clients as part of SASL negotiation process.
+The client chooses the most appropriate SASL mechanism for authentication.</p>
+
+<p>Authentication Providers of following types supports PLAIN SASL mechanism:</p>
+
+<ul>
+<li>Plain</li>
+<li>PlainPasswordFile</li>
+<li>SimpleLDAP</li>
+<li>Base64MD5PasswordFile</li>
+<li>MD5</li>
+<li>SCRAM-SHA-256</li>
+<li>SCRAM-SHA-1</li>
+</ul>
+
+<p>XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.</p>
+
+<p>If an AMQP port is configured with any of these Authentication Providers, the
+Broker may be vulnerable.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Users of Broker-J version 7.0.0 utilizing affected Authentication Providers on
+AMQP ports with support for AMQP 0-8, 0-9, 0-91 or 0-10 must upgrade to version
+7.0.1 or later.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrade of the broker is not possible, the SimpleLDAP and OAuth2 must be
+replaced with an alternative provider. For the remaining affected types of
+Authentication Providers the PLAIN SASL mechanism must be disabled by including
+"PLAIN" in the "disabledMechanisms" attribute of the provider. The changes can
+be made either directly in the broker configuration file or via management
+interfaces (for example, REST API]). A broker restart is required for the
+changes to take effect. Here is a template for curl utility call to disable
+PLAIN mechanism using REST API:</p>
+
+<p><code>sh
+curl --user &lt;user-name&gt; -X POST  -d '{"disabledMechanisms":["PLAIN"]}' https://&lt;broker
host&gt;:&lt;broker https port&gt;/api/latest/authenticationprovider/&lt;provider
name&gt;
+</code></p>
+
+<p>Alternatively, when only AMQP 1.0 protocol is used, the support for older AMQP
+protocols can be removed on the AMQP port. It can be done either from Broker-J
+Web Management Console or via management interfaces. A broker restart is
+required for the changes to take effect. Here is a template for curl REST API
+call to restrict port supported AMQP protocols to AMQP 1.0:</p>
+
+<p><code>sh
+curl --user &lt;user-name&gt; -X POST  -d '{"protocols":["AMQP_1_0"]}' https://&lt;broker
host&gt;:&lt;broker https port&gt;/api/latest/port/&lt;port name&gt;
+</code></p>
+
+<h2 id="references">References</h2>
+
+<ul>
+<li><a href="https://issues.apache.org/jira/browse/QPID-8046">QPID-8046</a></li>
+<li><a href="https://qpid.apache.org/releases/qpid-broker-j-7.0.0/book/Java-Broker-Management-Channel-REST-API.html">REST
API</a></li>
+</ul>
+
+
+          <hr/>
+
+          <ul id="-apache-navigation">
+            <li><a href="http://www.apache.org/">Apache</a></li>
+            <li><a href="http://www.apache.org/licenses/">License</a></li>
+            <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+            <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+            <li><a href="/security.html">Security</a></li>
+            <li><a href="http://www.apache.org/"><img id="-apache-feather"
width="48" height="14" src="" alt="Apache"/></a></li>
+          </ul>
+
+          <p id="-legal">
+            Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
+            The Apache Software Foundation; Licensed under
+            the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+            License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+            Proton, Apache, the Apache feather logo, and the Apache Qpid
+            project logo are trademarks of The Apache Software
+            Foundation; All other marks mentioned may be trademarks or
+            registered trademarks of their respective owners
+          </p>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/releases/qpid-broker-j-7.0.1/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-broker-j-7.0.1/release-notes.html b/content/releases/qpid-broker-j-7.0.1/release-notes.html
index 0d0d42e..e79b919 100644
--- a/content/releases/qpid-broker-j-7.0.1/release-notes.html
+++ b/content/releases/qpid-broker-j-7.0.1/release-notes.html
@@ -119,6 +119,8 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
 <p>Qpid Broker-J is a message broker written in Java that stores, routes,
 and forwards messages using AMQP.</p>
 
+<p><strong>Note</strong>: This release addresses security vulnerability
CVE-2018-1298.</p>
+
 <p>For more information about this release, including download links and
 documentation, see the <a href="index.html">release overview</a>.</p>
 
@@ -140,7 +142,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8030">QPID-8030</a>
- [Broker-J] Message conversion from 0-8 to 1.0 should preserve binary correlationId</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8040">QPID-8040</a>
- [Broker-J] Uncaught java.nio.channels.CancelledKeyException seen during Broker shutdown</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8042">QPID-8042</a>
- [Broker-J][AMQP 1.0] Support for pipelined connection open containing SASL frames broken</li>
-<li><a href="https://issues.apache.org/jira/browse/QPID-8046">QPID-8046</a>
- [Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial response</li>
+<li><a href="https://issues.apache.org/jira/browse/QPID-8046">QPID-8046</a>
- [CVE-2018-1298][Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial
response</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8047">QPID-8047</a>
- [Broker-J][AMQP 0-10] NPE on receiving session.detach for unknown session</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8049">QPID-8049</a>
- Non-free ICC profiles</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8058">QPID-8058</a>
- [Broker-J][AMQP 1.0] Broker does not respond to drain request from consumer of management
temporary destination</li>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message