Date: Tue, 13 Feb 2018 15:09:57 -0500 From: Ganesh Murthy <gmurthy@...che.org> To: announce@...che.org, users@...d.apache.org, dev@...d.apache.org, security@...che.org, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router Severity: Important Vendor: The Apache Software Foundation Versions Affected: Versions 0.7.0 and 0.8.0 Description: A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Resolution: Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or 1.0.0 and later. Mitigation: Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability.  - https://issues.apache.org/jira/browse/DISPATCH-924
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ