Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apache Fixes DoS Flaw in Qpid Messaging System

A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.

A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.

CVE identifiers are already being assigned for vulnerabilities uncovered this year. CVE-2015-0203 and a CVSS score of 5.2 have been assigned to the Apache Qpid vulnerability reported by G. Geshev from MWR Labs.

The Qpid message broker (qpidd) in version 0.30 and prior can be caused to crash with unexpected protocol sequences due to insufficient checks. The issue can be considered a form of denial-of-service (DoS), the Apache Software Foundation said in its advisory.

According to Apache, there are three exploitation scenarios, all of which result with the broker process exiting. 

The AMQP 0-10 protocol defines a sequence set containing ID ranges. In the first exploitation scenario, a sequence set containing an invalid range is sent (i.e. the start of the range is after the end) to crash the broker.

“The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit,” reads the description of the second case.

In the third case, “the AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting.”

The vulnerability will be addressed in upcoming releases. However, developers have also published a patch for Qpid 0.30. The issue has been fixed by sending an exception control to the remote peer and leave the broker available to all other users, Apache said.

Advertisement. Scroll to continue reading.

This isn’t the first Apache Qpid vulnerability identified by Geshev. Last year, the expert discovered that the Qpid broker could be induced to make HTTP requests (CVE-2014-3629).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.