Connect with us

Hi, what are you looking for?



Apache Fixes DoS Flaw in Qpid Messaging System

A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.

A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.

CVE identifiers are already being assigned for vulnerabilities uncovered this year. CVE-2015-0203 and a CVSS score of 5.2 have been assigned to the Apache Qpid vulnerability reported by G. Geshev from MWR Labs.

The Qpid message broker (qpidd) in version 0.30 and prior can be caused to crash with unexpected protocol sequences due to insufficient checks. The issue can be considered a form of denial-of-service (DoS), the Apache Software Foundation said in its advisory.

According to Apache, there are three exploitation scenarios, all of which result with the broker process exiting. 

The AMQP 0-10 protocol defines a sequence set containing ID ranges. In the first exploitation scenario, a sequence set containing an invalid range is sent (i.e. the start of the range is after the end) to crash the broker.

“The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit,” reads the description of the second case.

In the third case, “the AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting.”

Advertisement. Scroll to continue reading.

The vulnerability will be addressed in upcoming releases. However, developers have also published a patch for Qpid 0.30. The issue has been fixed by sending an exception control to the remote peer and leave the broker available to all other users, Apache said.

This isn’t the first Apache Qpid vulnerability identified by Geshev. Last year, the expert discovered that the Qpid broker could be induced to make HTTP requests (CVE-2014-3629).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.