CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands
Severity
Critical
Affected components
Qpid Broker-J
Affected versions
6.0.0-7.0.6 and 7.1.0
Fixed versions
7.0.7, 7.1.1
Description
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10).
Resolution
Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later.
Mitigation
If upgrade of the broker is not possible, the support for AMQP protocols 0-8...0-10 can be disabled on AMQP ports. The change can be made either directly in the broker configuration file or by using management interfaces.
An example of REST API call restricting AMQP port to support only AMQP 1.0 using curl utility is provided below:
sh
curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' https://<broker host>:<broker port>/api/latest/port/<port name>
References
Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners