A vulnerability in Apache Qpid, the open source messaging system that implements the Advanced Message Queuing Protocol (AMQP), can be exploited by an authenticated attacker to cause the message broker process to crash.
CVE identifiers are already being assigned for vulnerabilities uncovered this year. CVE-2015-0203 and a CVSS score of 5.2 have been assigned to the Apache Qpid vulnerability reported by G. Geshev from MWR Labs.
The Qpid message broker (qpidd) in version 0.30 and prior can be caused to crash with unexpected protocol sequences due to insufficient checks. The issue can be considered a form of denial-of-service (DoS), the Apache Software Foundation said in its advisory.
According to Apache, there are three exploitation scenarios, all of which result with the broker process exiting.
The AMQP 0-10 protocol defines a sequence set containing ID ranges. In the first exploitation scenario, a sequence set containing an invalid range is sent (i.e. the start of the range is after the end) to crash the broker.
“The AMQP 0-10 protocol defines header- and body- segments that may follow certain commands. The only command for which such segments are expected by qpidd is the message-transfer command. If another command is sent that includes header and/or body segments, this will cause a segmentation fault in the broker process, causing it then to exit,” reads the description of the second case.
In the third case, “the AMQP 0-10 protocol defines a session-gap control that can be sent on any established session. The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting.”
The vulnerability will be addressed in upcoming releases. However, developers have also published a patch for Qpid 0.30. The issue has been fixed by sending an exception control to the remote peer and leave the broker available to all other users, Apache said.
This isn’t the first Apache Qpid vulnerability identified by Geshev. Last year, the expert discovered that the Qpid broker could be induced to make HTTP requests (CVE-2014-3629).
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
