CVE-2017-15701

Severity

Important

Affected components

Qpid Broker-J

Affected versions

6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4

Fixed versions

6.1.5

Description

The broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected.

Resolution

Users who have AMQP 1.0 support enabled (default) should upgrade their Qpid Broker-J to version 6.1.5 or later (recommended).

Mitigation

If upgrading the broker is not possible, users can choose to disable AMQP 1.0 by either setting the system property "qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true", excluding "AMQP_1_0" from the supported protocol list on all AMQP ports, or by removing the AMQP 1.0 related jar files from the Java classpath.

References

QPID-7947

---

• Apache
• License
• Sponsorship
• Thanks!
• Security

Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners