Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 30 Nov 2017 17:15:43 +0000
From: Keith Wall <kwall@...che.org>
To: "users@...d.apache.org" <users@...d.apache.org>, "dev@...d.apache.org" <dev@...d.apache.org>, security@...che.org, 
	oss-security@...ts.openwall.com, announce@...che.org
Subject: [SECURITY] [CVE-2017-15701] Apache Qpid Broker-J Denial of Service Vulnerability

CVE-2017-15701: Apache Qpid Broker-J denial of service vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4

Description:

The broker does not properly enforce a maximum frame size in AMQP 1.0
frames.  A remote unauthenticated attacker could exploit this to cause
the broker to exhaust all available memory and eventually terminate.
Older AMQP protocols are not affected.

Resolution:

Users who have AMQP 1.0 support enabled (default) should upgrade their
Qpid Broker-J to version 6.1.5 or later.

Mitigation:

If upgrading the broker is not possible, users can choose to disable
AMQP 1.0 by either setting the system property
"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
excluding "AMQP_1_0" from the supported protocol list on all AMQP
ports, or by removing the AMQP 1.0 related jar files from the Java
classpath.

References:

https://issues.apache.org/jira/browse/QPID-7947

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ