From commits-return-43764-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Tue Feb 13 21:08:33 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4FF4E180656 for ; Tue, 13 Feb 2018 21:08:32 +0100 (CET) Received: (qmail 58878 invoked by uid 500); 13 Feb 2018 20:08:31 -0000 Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@qpid.apache.org Delivered-To: mailing list commits@qpid.apache.org Received: (qmail 58869 invoked by uid 99); 13 Feb 2018 20:08:31 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Feb 2018 20:08:31 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 58BC8E01EC; Tue, 13 Feb 2018 20:08:29 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: gmurthy@apache.org To: commits@qpid.apache.org Message-Id: <68aa58757b914b879307d50c0ee7668c@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: qpid-site git commit: Added information about new security vulnearbility CVE-2017-15699 Date: Tue, 13 Feb 2018 20:08:29 +0000 (UTC) Repository: qpid-site Updated Branches: refs/heads/asf-site 5871bc3a2 -> e4a918b02 Added information about new security vulnearbility CVE-2017-15699 Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/e4a918b0 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/e4a918b0 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/e4a918b0 Branch: refs/heads/asf-site Commit: e4a918b02ccca59c9297c0777406fcfd4cb3c5ac Parents: 5871bc3 Author: Ganesh Murthy Authored: Tue Feb 13 14:34:32 2018 -0500 Committer: Ganesh Murthy Committed: Tue Feb 13 15:06:22 2018 -0500 ---------------------------------------------------------------------- content/components/dispatch-router/index.html | 6 + .../components/dispatch-router/security.html | 169 +++++++++++++++++ content/cves/CVE-2017-15699.html | 180 +++++++++++++++++++ content/releases/index.html | 2 +- .../qpid-dispatch-0.8.1/release-notes.html | 2 +- content/security.html | 1 + input/components/dispatch-router/index.md | 4 + input/components/dispatch-router/security.md | 27 +++ input/cves/CVE-2017-15699.md | 36 ++++ input/releases/index.md | 2 +- .../qpid-dispatch-0.8.1/release-notes.md | 2 +- input/security.md | 1 + 12 files changed, 428 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/components/dispatch-router/index.html ---------------------------------------------------------------------- diff --git a/content/components/dispatch-router/index.html b/content/components/dispatch-router/index.html index 396a57d..852f5d2 100644 --- a/content/components/dispatch-router/index.html +++ b/content/components/dispatch-router/index.html @@ -192,6 +192,12 @@ they be clients, brokers or other AMQP-enabled services. More about
  • Git clone URL
    • +

    Resources

    + + + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/components/dispatch-router/security.html ---------------------------------------------------------------------- diff --git a/content/components/dispatch-router/security.html b/content/components/dispatch-router/security.html new file mode 100644 index 0000000..e75f951 --- /dev/null +++ b/content/components/dispatch-router/security.html @@ -0,0 +1,169 @@ + + + + + Security - Apache Qpid™ + + + + + + + + + + + + + +
    +
    + Menu + + Search + + +
    + + + + + +
    + + +
    +

    Security

    + + + + + + + + + + + + + + + + + + + + +
    CVE-IDSeverityAffected versionsFixed versionsSummary
    CVE-2017-15699Important0.7.0, 0.8.00.8.1, 1.0.0Denial of service
    + +

    See the main security page for general +information and details for other components.

    + + +
    + + + +

    + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

    +
    +
    +
    + + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/cves/CVE-2017-15699.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2017-15699.html b/content/cves/CVE-2017-15699.html new file mode 100644 index 0000000..8bd74cd --- /dev/null +++ b/content/cves/CVE-2017-15699.html @@ -0,0 +1,180 @@ + + + + + CVE-2017-15699: Apache Qpid Dispatch Denial of Service Vulnerability when specially crafted frame is sent to the Router - Apache Qpid™ + + + + + + + + + + + + + +
    +
    + Menu + + Search + + +
    + + + + + +
    +
    • Home
    • CVE-2017-15699: Apache Qpid Dispatch Denial of Service Vulnerability when specially crafted frame is sent to the Router
    + +
    +

    CVE-2017-15699: Apache Qpid Dispatch Denial of Service Vulnerability when specially crafted frame is sent to the Router

    + +

    Severity

    + +

    Important

    + +

    Affected components

    + +

    Qpid Dispatch Router

    + +

    Affected versions

    + +

    0.7.0, 0.8.0

    + +

    Fixed versions

    + +

    0.8.1 +1.0.0

    + +

    Description

    + +

    A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down.

    + +

    Resolution

    + +

    Users of Qpid Dispatch Router version 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or later.

    + +

    Mitigation

    + +

    Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability.

    + +

    References

    + + + + +
    + + + +

    + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

    +
    +
    +
    + + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/releases/index.html ---------------------------------------------------------------------- diff --git a/content/releases/index.html b/content/releases/index.html index 89ba641..bc27096 100644 --- a/content/releases/index.html +++ b/content/releases/index.html @@ -145,6 +145,7 @@ the
      +
    • Qpid Dispatch 0.8.1, February 2018
    • Qpid Broker-J 7.0.0, November 2017
    • Qpid Proton 0.19.0, December 2017
    • Qpid JMS 0.28.0, December 2017
      • @@ -163,7 +164,6 @@ the
    • Qpid for Java 6.0.8, June 2017
    • Qpid for Java 6.1.3, June 2017
    • Qpid for Java 6.0.7, June 2017
      • -
    • Qpid Dispatch 0.8.1, February 2018
    • Qpid Dispatch 0.8.0, May 2017
    • Qpid JMS 0.23.0, May 2017
    • Qpid Proton-J 0.19.0, May 2017
      • http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/releases/qpid-dispatch-0.8.1/release-notes.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-dispatch-0.8.1/release-notes.html b/content/releases/qpid-dispatch-0.8.1/release-notes.html index de6068f..86b88b2 100644 --- a/content/releases/qpid-dispatch-0.8.1/release-notes.html +++ b/content/releases/qpid-dispatch-0.8.1/release-notes.html @@ -126,7 +126,7 @@ documentation, see the release overview.

      Bugs fixed

        -
      • DISPATCH-924 - Remove unused variables in router core
        • +
      • DISPATCH-924 - Denial of Service Vulnerability when specially crafted frame is sent to the Router
      http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/content/security.html ---------------------------------------------------------------------- diff --git a/content/security.html b/content/security.html index b32f39d..4508351 100644 --- a/content/security.html +++ b/content/security.html @@ -130,6 +130,7 @@ Qpid components are detailed at:

      http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/components/dispatch-router/index.md ---------------------------------------------------------------------- diff --git a/input/components/dispatch-router/index.md b/input/components/dispatch-router/index.md index 9fa2e0e..9edfcf9 100644 --- a/input/components/dispatch-router/index.md +++ b/input/components/dispatch-router/index.md @@ -79,4 +79,8 @@ they be clients, brokers or other AMQP-enabled services. More about - [Browse via GitHub](https://github.com/apache/qpid-dispatch) - [Git clone URL](https://git-wip-us.apache.org/repos/asf/qpid-dispatch.git) +## Resources + + - [Security](security.html) +
    http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/components/dispatch-router/security.md ---------------------------------------------------------------------- diff --git a/input/components/dispatch-router/security.md b/input/components/dispatch-router/security.md new file mode 100644 index 0000000..c5bfbcd --- /dev/null +++ b/input/components/dispatch-router/security.md @@ -0,0 +1,27 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2017-15699]({{site_url}}/cves/CVE-2017-15699.html) | Important | 0.7.0, 0.8.0 | 0.8.1, 1.0.0 | Denial of service | + +See the main [security]({{site_url}}/security.html) page for general +information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/cves/CVE-2017-15699.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2017-15699.md b/input/cves/CVE-2017-15699.md new file mode 100644 index 0000000..66d43b4 --- /dev/null +++ b/input/cves/CVE-2017-15699.md @@ -0,0 +1,36 @@ +# CVE-2017-15699: Apache Qpid Dispatch Denial of Service Vulnerability when specially crafted frame is sent to the Router + +## Severity + +Important + +## Affected components + +Qpid Dispatch Router + +## Affected versions + +0.7.0, 0.8.0 + +## Fixed versions + +[0.8.1]({{site_url}}/releases/qpid-dispatch-0.8.1/index.html) +[1.0.0]({{site_url}}/releases/qpid-dispatch-1.0.0/index.html) + +## Description + +A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. + + +## Resolution +Users of Qpid Dispatch Router version 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or later. + + +## Mitigation +Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability. + +## References + + - [DISPATCH-924](https://issues.apache.org/jira/browse/DISPATCH-924) + + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/releases/index.md ---------------------------------------------------------------------- diff --git a/input/releases/index.md b/input/releases/index.md index e82498f..e24c358 100644 --- a/input/releases/index.md +++ b/input/releases/index.md @@ -44,6 +44,7 @@ the ## Past releases
    + - [Qpid Dispatch 0.8.1](qpid-dispatch-0.8.1/index.html), February 2018 - [Qpid Broker-J 7.0.0](qpid-broker-j-7.0.0/index.html), November 2017 - [Qpid Proton 0.19.0](qpid-proton-0.19.0/index.html), December 2017 - [Qpid JMS 0.28.0](qpid-jms-0.28.0/index.html), December 2017 @@ -62,7 +63,6 @@ the - [Qpid for Java 6.0.8](qpid-java-6.0.8/index.html), June 2017 - [Qpid for Java 6.1.3](qpid-java-6.1.3/index.html), June 2017 - [Qpid for Java 6.0.7](qpid-java-6.0.7/index.html), June 2017 - - [Qpid Dispatch 0.8.1](qpid-dispatch-0.8.1/index.html), February 2018 - [Qpid Dispatch 0.8.0](qpid-dispatch-0.8.0/index.html), May 2017 - [Qpid JMS 0.23.0](qpid-jms-0.23.0/index.html), May 2017 - [Qpid Proton-J 0.19.0](qpid-proton-j-0.19.0/index.html), May 2017 http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/releases/qpid-dispatch-0.8.1/release-notes.md ---------------------------------------------------------------------- diff --git a/input/releases/qpid-dispatch-0.8.1/release-notes.md b/input/releases/qpid-dispatch-0.8.1/release-notes.md index 8db7865..648e02b 100644 --- a/input/releases/qpid-dispatch-0.8.1/release-notes.md +++ b/input/releases/qpid-dispatch-0.8.1/release-notes.md @@ -28,4 +28,4 @@ documentation, see the [release overview](index.html). ## Bugs fixed - - [DISPATCH-924](https://issues.apache.org/jira/browse/DISPATCH-924) - Remove unused variables in router core \ No newline at end of file + - [DISPATCH-924](https://issues.apache.org/jira/browse/DISPATCH-924) - Denial of Service Vulnerability when specially crafted frame is sent to the Router \ No newline at end of file http://git-wip-us.apache.org/repos/asf/qpid-site/blob/e4a918b0/input/security.md ---------------------------------------------------------------------- diff --git a/input/security.md b/input/security.md index 3e6efb5..5453ae9 100644 --- a/input/security.md +++ b/input/security.md @@ -31,6 +31,7 @@ Qpid components are detailed at: - [Broker-J]({{site_url}}/components/broker-j/security.html) - [C++ broker]({{site_url}}/components/cpp-broker/security.html) + - [Dispatch]({{site_url}}/components/dispatch-router/security.html)
    --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org For additional commands, e-mail: commits-help@qpid.apache.org