Menu Search

CVE-2015-0203

Severity

Moderate

Affected components

Qpid C++ broker

Affected versions

0.30 and earlier

Fixed versions

0.32 and later

Description

Qpidd can be crashed by an authenticated user.

Certain unexpected protocol sequences cause the broker process to crash due to insufficient checking. Three distinct cases were identified as follows:

  • The AMQP 0-10 protocol defines a sequence set containing id ranges. The qpidd broker can be crashed by sending it a sequence-set containing an invalid range, where the start of the range is after the end. This condition causes an assertion, which causes the broker process to exit.

  • The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit.

  • The AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting.

Authentication can be used to restrict access to the broker. However any authenticated user would be able to trigger this condition which could therefore be considered a form of denial of service.

Resolution

A patch is available (QPID-6310) that handles all these errors by sending an exception control to the remote peer and leave the broker available to all other users. The fix will be included in subsequent releases, but can be applied to 0.30 if desired.

Credit

This issue was discovered by G. Geshev from MWR Labs.

References

QPID-6310