www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ganesh Murthy <gmur...@apache.org>
Subject [SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router
Date Tue, 13 Feb 2018 20:09:57 GMT
CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service
Vulnerability when specially crafted frame is sent to the Router

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Versions 0.7.0 and 0.8.0

Description: A Denial of Service vulnerability was found in Apache
Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a
remote user must be able to establish an AMQP connection to the Qpid
Dispatch Router and send a specifically crafted AMQP frame which will
cause it to segfault and shut down.

Resolution:
Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to
version 0.8.1 or 1.0.0 and later.

Mitigation:
Any user who is able to connect to the Router may exploit the
vulnerability. If anonymous authentication is enabled then any remote
user with network access the Router is a possible attacker. The number
of possible attackers is reduced if the Router is configured to
require authentication. Then an attacker needs to have authentic
credentials which are used to create a connection to the Router before
proceeding to exploit this vulnerability.

[1] - https://issues.apache.org/jira/browse/DISPATCH-924

Mime
View raw message