A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.
CVE identifiers are already being assigned for vulnerabilities uncovered this year. CVE-2015-0203 and a CVSS score of 5.2 have been assigned to the Apache Qpid vulnerability reported by G. Geshev from MWR Labs.
The Qpid message broker (qpidd) in version 0.30 and prior can be caused to crash with unexpected protocol sequences due to insufficient checks. The issue can be considered a form of denial-of-service (DoS), the Apache Software Foundation said in its advisory.
According to Apache, there are three exploitation scenarios, all of which result with the broker process exiting.
The AMQP 0-10 protocol defines a sequence set containing ID ranges. In the first exploitation scenario, a sequence set containing an invalid range is sent (i.e. the start of the range is after the end) to crash the broker.
“The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit,” reads the description of the second case.
In the third case, “the AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting.”
The vulnerability will be addressed in upcoming releases. However, developers have also published a patch for Qpid 0.30. The issue has been fixed by sending an exception control to the remote peer and leave the broker available to all other users, Apache said.
This isn’t the first Apache Qpid vulnerability identified by Geshev. Last year, the expert discovered that the Qpid broker could be induced to make HTTP requests (CVE-2014-3629).
