From users-return-18299-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Tue Feb 13 21:10:01 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 41A4318067B for ; Tue, 13 Feb 2018 21:10:01 +0100 (CET) Received: (qmail 61802 invoked by uid 500); 13 Feb 2018 20:10:00 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 61778 invoked by uid 99); 13 Feb 2018 20:10:00 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Feb 2018 20:10:00 +0000 Received: from mail-lf0-f53.google.com (mail-lf0-f53.google.com [209.85.215.53]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 1735729D8; Tue, 13 Feb 2018 20:09:59 +0000 (UTC) Received: by mail-lf0-f53.google.com with SMTP id f136so26673408lff.8; Tue, 13 Feb 2018 12:09:59 -0800 (PST) X-Gm-Message-State: APf1xPDjhIyKwOKVK93kMRr/Fe4hB+E7+a0d0YiIj43RJtiumtRYsz2Z DIz2Kk1J9uNrn6iXXLlxk5XYKe8s75IT7pHYkCw= X-Google-Smtp-Source: AH8x224epA+m/syYDm1jOatJYE8r8pY3gxT78fMFmvae10Yy9b6CSQopPvmOVG1T4ZsGR4A4I9uVpUTZP+27qyGmoA0= X-Received: by 10.25.181.147 with SMTP id g19mr1915281lfk.47.1518552598070; Tue, 13 Feb 2018 12:09:58 -0800 (PST) MIME-Version: 1.0 Received: by 10.46.29.202 with HTTP; Tue, 13 Feb 2018 12:09:57 -0800 (PST) From: Ganesh Murthy Date: Tue, 13 Feb 2018 15:09:57 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: [SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router To: announce@apache.org, users@qpid.apache.org, dev@qpid.apache.org, security@apache.org, oss-security@lists.openwall.com Content-Type: text/plain; charset="UTF-8" CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router Severity: Important Vendor: The Apache Software Foundation Versions Affected: Versions 0.7.0 and 0.8.0 Description: A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Resolution: Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or 1.0.0 and later. Mitigation: Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability. [1] - https://issues.apache.org/jira/browse/DISPATCH-924 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional commands, e-mail: users-help@qpid.apache.org