Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Feb 2018 15:09:57 -0500
From: Ganesh Murthy <gmurthy@...che.org>
To: announce@...che.org, users@...d.apache.org, dev@...d.apache.org, 
	security@...che.org, oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of
 Service Vulnerability when specially crafted frame is sent to the Router

CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service
Vulnerability when specially crafted frame is sent to the Router

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Versions 0.7.0 and 0.8.0

Description: A Denial of Service vulnerability was found in Apache
Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a
remote user must be able to establish an AMQP connection to the Qpid
Dispatch Router and send a specifically crafted AMQP frame which will
cause it to segfault and shut down.

Resolution:
Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to
version 0.8.1 or 1.0.0 and later.

Mitigation:
Any user who is able to connect to the Router may exploit the
vulnerability. If anonymous authentication is enabled then any remote
user with network access the Router is a possible attacker. The number
of possible attackers is reduced if the Router is configured to
require authentication. Then an attacker needs to have authentic
credentials which are used to create a connection to the Router before
proceeding to exploit this vulnerability.

[1] - https://issues.apache.org/jira/browse/DISPATCH-924

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.