From commits-return-43738-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Fri Feb 9 00:51:31 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 72C3A18064F for ; Fri, 9 Feb 2018 00:51:31 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 62D6C160C4A; Thu, 8 Feb 2018 23:51:31 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 5AAB3160C5D for ; Fri, 9 Feb 2018 00:51:30 +0100 (CET) Received: (qmail 80746 invoked by uid 500); 8 Feb 2018 23:51:29 -0000 Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@qpid.apache.org Delivered-To: mailing list commits@qpid.apache.org Received: (qmail 80705 invoked by uid 99); 8 Feb 2018 23:51:29 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Feb 2018 23:51:29 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 71C87DFABA; Thu, 8 Feb 2018 23:51:29 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: orudyy@apache.org To: commits@qpid.apache.org Message-Id: <491f16eeaca84e8c9eea5cf3bca4d6f4@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: qpid-site git commit: QPID-8094: Update site for Qpid Broker-J release 7.0.1 Date: Thu, 8 Feb 2018 23:51:29 +0000 (UTC) Repository: qpid-site Updated Branches: refs/heads/asf-site 5432000ac -> faf4c8ce0 QPID-8094: Update site for Qpid Broker-J release 7.0.1 Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/faf4c8ce Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/faf4c8ce Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/faf4c8ce Branch: refs/heads/asf-site Commit: faf4c8ce05a2c8e84afe75109548c9c630c2d60c Parents: 5432000 Author: Alex Rudyy Authored: Thu Feb 8 23:50:32 2018 +0000 Committer: Alex Rudyy Committed: Thu Feb 8 23:50:32 2018 +0000 ---------------------------------------------------------------------- content/components/broker-j/security.html | 7 + content/cves/CVE-2018-1298.html | 230 +++++++++++++++++++ .../qpid-broker-j-7.0.1/release-notes.html | 4 +- 3 files changed, 240 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/components/broker-j/security.html ---------------------------------------------------------------------- diff --git a/content/components/broker-j/security.html b/content/components/broker-j/security.html index 358c957..636a6b4 100644 --- a/content/components/broker-j/security.html +++ b/content/components/broker-j/security.html @@ -162,6 +162,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> 6.0.0 Authentication vulnerability + + CVE-2018-1298 + Important + 7.0.0 + 7.0.1 + Denial of Service + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/cves/CVE-2018-1298.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2018-1298.html b/content/cves/CVE-2018-1298.html new file mode 100644 index 0000000..4855226 --- /dev/null +++ b/content/cves/CVE-2018-1298.html @@ -0,0 +1,230 @@ + + + + + CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+
  • Home
  • CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms
+ +
+

CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms

+ +

Severity

+ +

Important

+ +

Affected components

+ +

Qpid Broker-J

+ +

Affected versions

+ +

7.0.0

+ +

Fixed versions

+ +

7.0.1

+ +

Description

+ +

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 +in functionality for authentication of connections for AMQP protocols 0-8, 0-9, +0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability +allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and +HTTP connections are not affected.

+ +

An authentication of incoming AMQP connections in Apache Qpid Broker-J is +performed by special entities called "Authentication Providers". Each +Authentication Provider can support several SASL mechanisms +which are offered to the connecting clients as part of SASL negotiation process. +The client chooses the most appropriate SASL mechanism for authentication.

+ +

Authentication Providers of following types supports PLAIN SASL mechanism:

+ +
    +
  • Plain
    • +
  • PlainPasswordFile
    • +
  • SimpleLDAP
    • +
  • Base64MD5PasswordFile
    • +
  • MD5
    • +
  • SCRAM-SHA-256
    • +
  • SCRAM-SHA-1
    • +
+ +

XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.

+ +

If an AMQP port is configured with any of these Authentication Providers, the +Broker may be vulnerable.

+ +

Resolution

+ +

Users of Broker-J version 7.0.0 utilizing affected Authentication Providers on +AMQP ports with support for AMQP 0-8, 0-9, 0-91 or 0-10 must upgrade to version +7.0.1 or later.

+ +

Mitigation

+ +

If upgrade of the broker is not possible, the SimpleLDAP and OAuth2 must be +replaced with an alternative provider. For the remaining affected types of +Authentication Providers the PLAIN SASL mechanism must be disabled by including +"PLAIN" in the "disabledMechanisms" attribute of the provider. The changes can +be made either directly in the broker configuration file or via management +interfaces (for example, REST API]). A broker restart is required for the +changes to take effect. Here is a template for curl utility call to disable +PLAIN mechanism using REST API:

+ +

sh +curl --user <user-name> -X POST -d '{"disabledMechanisms":["PLAIN"]}' https://<broker host>:<broker https port>/api/latest/authenticationprovider/<provider name> +

+ +

Alternatively, when only AMQP 1.0 protocol is used, the support for older AMQP +protocols can be removed on the AMQP port. It can be done either from Broker-J +Web Management Console or via management interfaces. A broker restart is +required for the changes to take effect. Here is a template for curl REST API +call to restrict port supported AMQP protocols to AMQP 1.0:

+ +

sh +curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' https://<broker host>:<broker https port>/api/latest/port/<port name> +

+ +

References

+ + + + +
+ + + +

+ Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

+
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/faf4c8ce/content/releases/qpid-broker-j-7.0.1/release-notes.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-broker-j-7.0.1/release-notes.html b/content/releases/qpid-broker-j-7.0.1/release-notes.html index 0d0d42e..e79b919 100644 --- a/content/releases/qpid-broker-j-7.0.1/release-notes.html +++ b/content/releases/qpid-broker-j-7.0.1/release-notes.html @@ -119,6 +119,8 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>

Qpid Broker-J is a message broker written in Java that stores, routes, and forwards messages using AMQP.

+

Note: This release addresses security vulnerability CVE-2018-1298.

+

For more information about this release, including download links and documentation, see the release overview.

@@ -140,7 +142,7 @@ documentation, see the release overview.

  • QPID-8030 - [Broker-J] Message conversion from 0-8 to 1.0 should preserve binary correlationId
  • QPID-8040 - [Broker-J] Uncaught java.nio.channels.CancelledKeyException seen during Broker shutdown
  • QPID-8042 - [Broker-J][AMQP 1.0] Support for pipelined connection open containing SASL frames broken
    • -
  • QPID-8046 - [Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial response
    • +
  • QPID-8046 - [CVE-2018-1298][Broker-J] Allow SASL mechanisms PLAIN and XOAUTH2 to not require initial response
  • QPID-8047 - [Broker-J][AMQP 0-10] NPE on receiving session.detach for unknown session
  • QPID-8049 - Non-free ICC profiles
  • QPID-8058 - [Broker-J][AMQP 1.0] Broker does not respond to drain request from consumer of management temporary destination
    • --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org For additional commands, e-mail: commits-help@qpid.apache.org