qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oru...@apache.org
Subject [qpid-site] branch asf-site updated: Add description of CVE-2019-0200 in Qpid BRoker-J security pages
Date Fri, 01 Mar 2019 20:45:51 GMT
This is an automated email from the ASF dual-hosted git repository.

orudyy pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/qpid-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 605e179  Add description of CVE-2019-0200 in Qpid BRoker-J security pages
605e179 is described below

commit 605e179e2b6c7b82177f70b6d2123c6b29e58eec
Author: Alex Rudyy <orudyy@apache.org>
AuthorDate: Fri Mar 1 20:45:23 2019 +0000

    Add description of CVE-2019-0200 in Qpid BRoker-J security pages
---
 content/components/broker-j/security.html          |   7 ++
 .../security.html => cves/CVE-2019-0200.html}      | 122 +++++++++------------
 input/components/broker-j/security.md              |   2 +
 input/cves/CVE-2019-0200.md                        |  49 +++++++++
 4 files changed, 111 insertions(+), 69 deletions(-)

diff --git a/content/components/broker-j/security.html b/content/components/broker-j/security.html
index 862dbf3..1627456 100644
--- a/content/components/broker-j/security.html
+++ b/content/components/broker-j/security.html
@@ -176,6 +176,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
   <td>7.0.5</td>
   <td>Denial of Service</td>
 </tr>
+<tr>
+  <td><a href="/cves/CVE-2019-0200.html">CVE-2019-0200</a></td>
+  <td>Important</td>
+  <td>6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1,
6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6
and 7.1.0</td>
+  <td>7.0.7, 7.1.1</td>
+  <td>Denial of Service</td>
+</tr>
 </tbody>
 </table>
 
diff --git a/content/components/broker-j/security.html b/content/cves/CVE-2019-0200.html
similarity index 73%
copy from content/components/broker-j/security.html
copy to content/cves/CVE-2019-0200.html
index 862dbf3..fe34b6d 100644
--- a/content/components/broker-j/security.html
+++ b/content/cves/CVE-2019-0200.html
@@ -21,7 +21,7 @@
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
-    <title>Security - Apache Qpid&#8482;</title>
+    <title>CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP
0-8 to 0-10 commands - Apache Qpid&#8482;</title>
     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
     <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
     <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
@@ -111,76 +111,60 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
       </div>
 
       <div id="-middle" class="panel">
-        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a
href="/components/index.html">Components</a></li><li><a href="/components/broker-j/index.html">Broker-J</a></li><li>Security</li></ul>
+        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2019-0200:
Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</li></ul>
 
         <div id="-middle-content">
-          <h1 id="security">Security</h1>
-
-<table>
-<thead>
-<tr>
-  <th>CVE-ID</th>
-  <th>Severity</th>
-  <th>Affected versions</th>
-  <th>Fixed versions</th>
-  <th>Summary</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-  <td><a href="/cves/CVE-2016-3094.html">CVE-2016-3094</a></td>
-  <td>Important</td>
-  <td>6.0.0, 6.0.1, and 6.0.2</td>
-  <td>6.0.3</td>
-  <td>Denial of service</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2016-4432.html">CVE-2016-4432</a></td>
-  <td>Important</td>
-  <td>6.0.2 and earlier</td>
-  <td>6.0.3</td>
-  <td>Authentication bypass</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2016-8741.html">CVE-2016-8741</a></td>
-  <td>Moderate</td>
-  <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
-  <td>6.0.6, 6.1.1</td>
-  <td>Information leakage</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2017-15701.html">CVE-2017-15701</a></td>
-  <td>Important</td>
-  <td>6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4</td>
-  <td>6.1.5</td>
-  <td>Denial of Service</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2017-15702.html">CVE-2017-15702</a></td>
-  <td>Important</td>
-  <td>0.18, 0.20, 0.22, 0.24, 0.26, 0.28, 0.30, and 0.32</td>
-  <td>6.0.0</td>
-  <td>Authentication vulnerability</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2018-1298.html">CVE-2018-1298</a></td>
-  <td>Important</td>
-  <td>7.0.0</td>
-  <td>7.0.1</td>
-  <td>Denial of Service</td>
-</tr>
-<tr>
-  <td><a href="/cves/CVE-2018-8030.html">CVE-2018-8030</a></td>
-  <td>Important</td>
-  <td>7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4</td>
-  <td>7.0.5</td>
-  <td>Denial of Service</td>
-</tr>
-</tbody>
-</table>
-
-<p>See the main <a href="/security.html">security</a> page for general
-information and details for other components.</p>
+          <h1 id="cve-2019-0200-apache-qpid-broker-j-denial-of-service-due-to-malformed-amqp-0-8-to-0-10-commands">CVE-2019-0200:
Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Critical</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.0.0-7.0.6 and 7.1.0</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-broker-j-7.0.7/index.html">7.0.7</a>
+<a href="/releases/qpid-broker-j-7.1.1/index.html">7.1.1</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J
+versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
+attacker to crash the broker instance by sending specially crafted
+commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
+0-10).</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
+utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid
+Broker-J versions 7.0.7 or 7.1.1 or later.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrade of the broker is not possible, the support for AMQP protocols
+0-8...0-10 can be disabled on AMQP ports. The change can be made either
+directly in the broker configuration file or by using management interfaces.</p>
+
+<p>An example of REST API call restricting AMQP port to support only AMQP 1.0
+using curl utility is provided below:</p>
+
+<p><code>sh
+curl --user &lt;user-name&gt; -X POST  -d '{"protocols":["AMQP_1_0"]}' https://&lt;broker
host&gt;:&lt;broker port&gt;/api/latest/port/&lt;port name&gt;
+</code></p>
+
+<h2 id="references">References</h2>
+
+<ul>
+<li><a href="https://issues.apache.org/jira/browse/QPID-8273">QPID-8273</a></li>
+</ul>
 
 
           <hr/>
diff --git a/input/components/broker-j/security.md b/input/components/broker-j/security.md
index 89019a6..efee99f 100644
--- a/input/components/broker-j/security.md
+++ b/input/components/broker-j/security.md
@@ -28,6 +28,8 @@
 | [CVE-2017-15702]({{site_url}}/cves/CVE-2017-15702.html) | Important | 0.18, 0.20, 0.22,
0.24, 0.26, 0.28, 0.30, and 0.32 | 6.0.0 | Authentication vulnerability |
 | [CVE-2018-1298]({{site_url}}/cves/CVE-2018-1298.html) | Important | 7.0.0 | 7.0.1 | Denial
of Service |
 | [CVE-2018-8030]({{site_url}}/cves/CVE-2018-8030.html) | Important | 7.0.0, 7.0.1, 7.0.2,
7.0.3 and 7.0.4 | 7.0.5 | Denial of Service |
+| [CVE-2019-0200]({{site_url}}/cves/CVE-2019-0200.html) | Important | 6.0.0, 6.0.1, 6.0.2,
6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6,
6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6 and 7.1.0 | 7.0.7, 7.1.1 | Denial of
Service |
+
 
 See the main [security]({{site_url}}/security.html) page for general
 information and details for other components.
diff --git a/input/cves/CVE-2019-0200.md b/input/cves/CVE-2019-0200.md
new file mode 100644
index 0000000..c2f2920
--- /dev/null
+++ b/input/cves/CVE-2019-0200.md
@@ -0,0 +1,49 @@
+# CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10
commands
+
+## Severity
+
+Critical
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+6.0.0-7.0.6 and 7.1.0
+
+## Fixed versions
+
+[7.0.7]({{site_url}}/releases/qpid-broker-j-7.0.7/index.html)
+[7.1.1]({{site_url}}/releases/qpid-broker-j-7.1.1/index.html)
+
+## Description
+
+A Denial of Service vulnerability was found in Apache Qpid Broker-J
+versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
+attacker to crash the broker instance by sending specially crafted
+commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
+0-10).
+
+## Resolution
+
+Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
+utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid
+Broker-J versions 7.0.7 or 7.1.1 or later.
+
+## Mitigation
+
+If upgrade of the broker is not possible, the support for AMQP protocols
+0-8...0-10 can be disabled on AMQP ports. The change can be made either
+directly in the broker configuration file or by using management interfaces.
+
+An example of REST API call restricting AMQP port to support only AMQP 1.0
+using curl utility is provided below:
+
+```sh
+curl --user <user-name> -X POST  -d '{"protocols":["AMQP_1_0"]}' https://<broker
host>:<broker port>/api/latest/port/<port name>
+```
+
+## References
+
+ - [QPID-8273](https://issues.apache.org/jira/browse/QPID-8273)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message