[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY] [CVE-2017-15701] Apache Qpid Broker-J Denial of Service Vulnerability
From: Keith Wall <kwall () apache ! org>
Date: 2017-11-30 17:15:43
Message-ID: CAFEMS4vr8tXkkmRj+y6g0p3y3r9SqDL8Gf9+ouhbKjPAsbJ04w () mail ! gmail ! com
[Download RAW message or body]
CVE-2017-15701: Apache Qpid Broker-J denial of service vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4
Description:
The broker does not properly enforce a maximum frame size in AMQP 1.0
frames. A remote unauthenticated attacker could exploit this to cause
the broker to exhaust all available memory and eventually terminate.
Older AMQP protocols are not affected.
Resolution:
Users who have AMQP 1.0 support enabled (default) should upgrade their
Qpid Broker-J to version 6.1.5 or later.
Mitigation:
If upgrading the broker is not possible, users can choose to disable
AMQP 1.0 by either setting the system property
"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
excluding "AMQP_1_0" from the supported protocol list on all AMQP
ports, or by removing the AMQP 1.0 related jar files from the Java
classpath.
References:
https://issues.apache.org/jira/browse/QPID-7947
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic