From announce-return-5080-archive-asf-public=cust-asf.ponee.io@apache.org  Fri Mar  1 18:09:37 2019
Return-Path: <announce-return-5080-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 2DDC5180647
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  1 Mar 2019 19:09:37 +0100 (CET)
Received: (qmail 14143 invoked by uid 500); 1 Mar 2019 18:09:33 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 63856 invoked by uid 99); 1 Mar 2019 17:22:27 -0000
X-Gm-Message-State: APjAAAWTroTucBTKfS4dLRG3oTaaOQThrA/7+v+bKKln+rElKfWW7e+0
	8lhfBgXbx7db2771fd2yyGMsFblmhhwv5xFiUO4=
X-Google-Smtp-Source: APXvYqxas0N/nu/q1wO64iEtbukNdNIBsPN0oEkx2GkEGtJk52UpOgdGzkPw/VToH/HLCzscUzHpU7MGkltecwP341U=
X-Received: by 2002:a2e:9105:: with SMTP id m5mr3495700ljg.100.1551460945373;
 Fri, 01 Mar 2019 09:22:25 -0800 (PST)
MIME-Version: 1.0
Reply-To: users@qpid.apache.org
From: Alex Rudyy <orudyy@apache.org>
Date: Fri, 1 Mar 2019 17:22:14 +0000
X-Gmail-Original-Message-ID: <CAP3WMuR-CCdbACWo7QVPTJ04+twGLGzg4SVBakUDD+NkNTKoog@mail.gmail.com>
Message-ID: <CAP3WMuR-CCdbACWo7QVPTJ04+twGLGzg4SVBakUDD+NkNTKoog@mail.gmail.com>
Subject: [SECURITY] CVE-2019-0200: Apache Qpid Broker-J Denial of Service due
 to malformed AMQP 0-8 to 0-10 commands
To: "dev@qpid.apache.org" <dev@qpid.apache.org>, "users@qpid.apache.org" <users@qpid.apache.org>, announce@apache.org, 
	"security@apache.org" <security@apache.org>, oss-security@lists.openwall.com, 
	bugtraq@securityfocus.com
Content-Type: multipart/alternative; boundary="000000000000882eeb05830ba63f"

--000000000000882eeb05830ba63f
Content-Type: text/plain; charset="UTF-8"

CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP
0-8 to 0-10 commands

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 6.0.0-7.0.6 (inclusive), 7.1.0

Description:

A Denial of Service vulnerability [1] was found in Apache Qpid Broker-J
versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
attacker to crash the broker instance by sending specially crafted
commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
0-10).

Resolution:

Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid

Broker-J versions 7.0.7 or 7.1.1 or later.

Mitigation:

If upgrade of the broker is not possible, the support for AMQP protocols
0-8...0-10 can be disabled on AMQP ports. The change can be made either
directly in the broker configuration file or by using management interfaces.

An example of REST API call restricting AMQP port to support only AMQP 1.0
using curl utility is provided below:

curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' \
https://<broker host>:<broker port>/api/latest/port/<port name>

References:
[1] https://issues.apache.org/jira/browse/QPID-8273

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

--000000000000882eeb05830ba63f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>CVE-2019-0200: Apache Qpid Broker-J =
Denial of Service due to malformed AMQP 0-8 to 0-10 commands<br><br>Severit=
y: Critical<br><br>Vendor: The Apache Software Foundation<br><br>Versions A=
ffected: 6.0.0-7.0.6 (inclusive), 7.1.0<br><br>Description:<br><br>A Denial=
 of Service vulnerability [1] was found in Apache Qpid Broker-J<br>versions=
 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated<br>attac=
ker to crash the broker instance by sending specially crafted<br>commands u=
sing AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10).<br><b=
r>Resolution:<br><br>Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (in=
clusive) and 7.1.0<br>utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must up=
grade to Qpid<br><br>Broker-J versions 7.0.7 or 7.1.1 or later.<br><br>Miti=
gation:<br><br>If upgrade of the broker is not possible, the support for AM=
QP protocols<br>0-8...0-10 can be disabled on AMQP ports. The change can be=
 made either<br>directly in the broker configuration file or by using manag=
ement interfaces.<br><br>An example of REST API call restricting AMQP port =
to support only AMQP 1.0<br>using curl utility is provided below:<br><br>cu=
rl --user &lt;user-name&gt; -X POST -d &#39;{&quot;protocols&quot;:[&quot;A=
MQP_1_0&quot;]}&#39; \<br>https://&lt;broker host&gt;:&lt;broker port&gt;/a=
pi/latest/port/&lt;port name&gt;<br><br>References:<br>[1] <a href=3D"https=
://issues.apache.org/jira/browse/QPID-8273">https://issues.apache.org/jira/=
browse/QPID-8273</a></div><div><br></div><div>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href=3D"mailto:dev-unsubscribe@qpid.apache.org" =
target=3D"_blank">dev-unsubscribe@qpid.apache.org</a><br>
For additional commands, e-mail: <a href=3D"mailto:dev-help@qpid.apache.org=
" target=3D"_blank">dev-help@qpid.apache.org</a></div></div></div>

--000000000000882eeb05830ba63f--