Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 48A71200AE2 for ; Fri, 27 May 2016 17:13:42 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 47B1E160A12; Fri, 27 May 2016 15:13:42 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8F779160A10 for ; Fri, 27 May 2016 17:13:41 +0200 (CEST) Received: (qmail 34518 invoked by uid 500); 27 May 2016 15:13:35 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 34449 invoked by uid 99); 27 May 2016 15:13:35 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 May 2016 15:13:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id D44961804FC; Fri, 27 May 2016 15:13:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.821 X-Spam-Level: X-Spam-Status: No, score=-0.821 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id GNbAjV0dVUL5; Fri, 27 May 2016 15:13:34 +0000 (UTC) Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 7597B5FB23; Fri, 27 May 2016 15:13:33 +0000 (UTC) Received: by mail-wm0-f50.google.com with SMTP id z87so140885456wmh.0; Fri, 27 May 2016 08:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=8IgQ57Iv8ROEEDi2jvx7ISw+mJ/NdQTACOOhWqXnkr4=; b=UKwBXV7uGMEFRhWvbGyyPL2jk+dQ0gmSXD3T97VKlURzJJAv+ns9OzL+bvzXYda+J0 tyfvm38KREBr8O/xFQP1/aKCniUwny5Usxh7x9SjoWItMfXqkeqKIJWhwSbkRxj/w+ky QN92rO1aHAhb5O6mobuvQcdZE1TxWVm0mg5BMFKQ/64m7TFFQv28q/PMk6rbvxEKwGq2 sfR49pe4x+yZKlQ4gRrOM9z4u9trxNJl+MnVCMxaJDyed04AIpPo8rkFUiDV1YC5lDyN 9en8j2IkGOtNzYMWMVes1UiSW7ByMdh8S40+xk2j/+dvNhYKhQiRf4yNI/iqN0JhvGdA Or1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=8IgQ57Iv8ROEEDi2jvx7ISw+mJ/NdQTACOOhWqXnkr4=; b=DraatLCKBr9JiQ5WYfQsGj5TCuu1WfRHngDCCwK9dQZAmUerpByLUQqj7gcSgM0FZz nF/SrDHP6bp3i88Wxr7CaZSMcIhMvmkhuD77lvJZg5PzKwMDwPOXoQrIozPvNGOu4ocx 2aAhyS2NbPpaKy9XGbPEU/2Dwp3xUXeXALOEKMmBogeZlAhlzdyi/Fr65xQfgyTULXlq pIolYsRnY6U11cauIjbzgYmICw52nncGUDJPOHaF3ltfcF3hKPVJnUFtnfEIeFj+zB08 8DR8Fwz7DlPJO26hc6a+s7LG7T7OCHvsMCn4AWvZck0HQyG+EsawMqioJtkkPU9kRc6+ OHjQ== X-Gm-Message-State: ALyK8tJQMluE+MAecBv1r85Mj4FpZw+GOujDFYG00YrbCirn+lYeqHJ/B5kr9JtMsYH8Hw== X-Received: by 10.195.9.67 with SMTP id dq3mr11010540wjd.140.1464362013138; Fri, 27 May 2016 08:13:33 -0700 (PDT) Received: from [10.241.137.42] ([199.253.241.1]) by smtp.googlemail.com with ESMTPSA id g129sm9138491wme.1.2016.05.27.08.13.31 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 27 May 2016 08:13:32 -0700 (PDT) To: users@qpid.apache.org, dev@qpid.apache.org, "security@apache.org" , oss-security@lists.openwall.com, bugtraq@securityfocus.com From: Lorenz Quack Subject: [CVE-2016-3094] Apache Qpid Java Broker denial of service vulnerability Message-ID: <5748641A.2050701@gmail.com> Date: Fri, 27 May 2016 16:13:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit archived-at: Fri, 27 May 2016 15:13:42 -0000 CVE-2016-3094: Apache Qpid Java Broker denial of service vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2 Description: A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwords being sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an uncaught Exception. Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on non-TLS ports, but enabled on TLS connections). Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or later. If this is not possible, users can disable the PLAIN mechanism for their authentication manager on versions 0.32 and later by adding "PLAIN" to the list of disabledMechanisms on their authentication provider object. Note that the SimpleLDAP authentication provider requires PLAIN and so this work around does not apply there. Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc. References: https://issues.apache.org/jira/browse/QPID-7271 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional commands, e-mail: users-help@qpid.apache.org