Google Git
Sign in
apache / qpid-site / 255aeca4bd52dc8a8e5d341d49d795b3c3d54f38 / . / content / cves / CVE-2015-0203.html
blob: 297e62acf3506360477c69d1eed19246a8447a2c [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>CVE-2015-0203 - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2015-0203</li></ul>
<div id="-middle-content">
<h1 id="cve-2015-0203">CVE-2015-0203</h1>
<h2 id="severity">Severity</h2>
<p>Moderate</p>
<h2 id="affected-components">Affected components</h2>
<p>Qpid C++ broker</p>
<h2 id="affected-versions">Affected versions</h2>
<p>0.30 and earlier</p>
<h2 id="fixed-versions">Fixed versions</h2>
<p>0.32 and later</p>
<h2 id="description">Description</h2>
<p>Qpidd can be crashed by an authenticated user.</p>
<p>Certain unexpected protocol sequences cause the broker process to
crash due to insufficient checking. Three distinct cases were
identified as follows:</p>
<ul>
<li><p>The AMQP 0-10 protocol defines a sequence set containing id
ranges. The qpidd broker can be crashed by sending it a
sequence-set containing an invalid range, where the start of the
range is after the end. This condition causes an assertion, which
causes the broker process to exit.</p></li>
<li><p>The AMQP 0-10 protocol defines header- and body- segments that may
follow certain commands. The only command for which such segments
are expected by qpidd is the message-transfer command. If another
command is sent that includes header and/or body segments, this
will cause a segmentation fault in the broker process, causing it
then to exit.</p></li>
<li><p>The AMQP 0-10 protocol defines a session-gap control that can be
sent on any established session. The qpidd broker does not support
this control and responds with an appropriate error if requested on
an established session. However, if the control is sent before the
session is opened, the brokers handling causes an assertion which
results in the broker process exiting.</p></li>
</ul>
<p>Authentication can be used to restrict access to the broker. However
any authenticated user would be able to trigger this condition which
could therefore be considered a form of denial of service.</p>
<h2 id="resolution">Resolution</h2>
<p>A patch is available (QPID-6310) that handles all these errors by
sending an exception control to the remote peer and leave the broker
available to all other users. The fix will be included in subsequent
releases, but can be applied to 0.30 if desired.</p>
<h2 id="credit">Credit</h2>
<p>This issue was discovered by G. Geshev from MWR Labs.</p>
<h2 id="references">References</h2>
<p><a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a></p>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>