Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 9 Aug 2012 12:01:45 -0600
From: Vincent Danen <>
Subject: CVE-2012-3467: Unauthorized access (authentication bypass) from
 client to broker due to use of NullAuthenticator in shadow connections

Just a heads up to advise those shipping qpid-cpp of the following flaw:

In the AMQP messaging scheme implementation each broker can have both, direct
connections and shadow connections. A shadow connection represents a connection
to another broker in the cluster. Members use shadow connections to simulate
the actions of other brokers, so that all members arrive at the same time.
Output for shadow connections is just discarded, brokers only send data to
their directly-connected clients.

A security flaw was found in the way the Qpid C++ libraries implementation,
used by AMQP client applications to exchange messages with an AMQP message
broker using the AMQP protocol, performed authentication for certain shadow
connections. An AMQP client application could issue a phoney shadow connection
to the AMQP broker, leading into situation that AMQP broker to consider the
connection it to be a legitimate connection from another AMQP broker,
subsequently using NullAuthenticator mechanism for authentication, allowing the
AMQP client application to bypass the authentication.

This has been assigned the name CVE-2012-3467.


Also, as a aide note, this affects (possibly Red Hat-specific naming
convention) the qpid-cpp-server-cluster package, other qpid packages  are not

Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.