Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 9 Aug 2012 12:01:45 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2012-3467: Unauthorized access (authentication bypass) from
 client to broker due to use of NullAuthenticator in shadow connections

Just a heads up to advise those shipping qpid-cpp of the following flaw:

In the AMQP messaging scheme implementation each broker can have both, direct
connections and shadow connections. A shadow connection represents a connection
to another broker in the cluster. Members use shadow connections to simulate
the actions of other brokers, so that all members arrive at the same time.
Output for shadow connections is just discarded, brokers only send data to
their directly-connected clients.

A security flaw was found in the way the Qpid C++ libraries implementation,
used by AMQP client applications to exchange messages with an AMQP message
broker using the AMQP protocol, performed authentication for certain shadow
connections. An AMQP client application could issue a phoney shadow connection
to the AMQP broker, leading into situation that AMQP broker to consider the
connection it to be a legitimate connection from another AMQP broker,
subsequently using NullAuthenticator mechanism for authentication, allowing the
AMQP client application to bypass the authentication.


This has been assigned the name CVE-2012-3467.

References:

https://issues.apache.org/jira/browse/QPID-3849
http://svn.apache.org/viewvc?view=revision&revision=1352992
https://bugzilla.redhat.com/show_bug.cgi?id=836276

Also, as a aide note, this affects (possibly Red Hat-specific naming
convention) the qpid-cpp-server-cluster package, other qpid packages  are not
affected.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ