CVE-2017-15699: Apache Qpid Dispatch Denial of Service Vulnerability when specially crafted frame is sent to the Router

Severity

Important

Affected components

Qpid Dispatch Router

Affected versions

0.7.0, 0.8.0

Fixed versions

0.8.1, 1.0.0

Description

A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down.

Resolution

Users of Qpid Dispatch Router version 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or later.

Mitigation

Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability.

References

• DISPATCH-924

---

• Apache
• License
• Sponsorship
• Thanks!
• Security

Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners