Google Git
Sign in
apache / qpid-site / 255aeca4bd52dc8a8e5d341d49d795b3c3d54f38 / . / content / cves / CVE-2016-3094.html
blob: 0758502601fed13b2a85fc9afa8d9722b843e994 [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>CVE-2016-3094 - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-3094</li></ul>
<div id="-middle-content">
<h1 id="cve-2016-3094">CVE-2016-3094</h1>
<h2 id="severity">Severity</h2>
<p>Important</p>
<h2 id="affected-components">Affected components</h2>
<p>Broker-J</p>
<h2 id="affected-versions">Affected versions</h2>
<p>6.0.0, 6.0.1, and 6.0.2</p>
<h2 id="fixed-versions">Fixed versions</h2>
<p><a href="/releases/qpid-java-6.0.3/index.html">6.0.3</a></p>
<h2 id="description">Description</h2>
<p>Denial of Service.</p>
<p>A malformed authentication attempt may cause the broker to terminate.
The Apache Qpid Broker-J supports a number of configurable
authentication providers each supporting various SASL mechanisms. Some
mechanisms need (or can be configured to accept) plain-text passwords
being sent to the Broker (using the SASL "PLAIN" mechanism). Where
the broker has been configured to allow plain-text passwords for
authentication it is possible for a client to send a malformed
authentication attempt which will lead the broker to terminate due to
an uncaught Exception.</p>
<p>Brokers configured to use authentication from the "PlainPasswordFile",
"SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if
the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled
on non-TLS ports, but enabled on TLS connections).</p>
<h2 id="mitigation">Mitigation</h2>
<p>Users should upgrade their Apache Qpid Broker-J to
version 6.0.3 or later. If this is not possible, users can disable
the PLAIN mechanism for their authentication manager on versions 0.32
and later by adding "PLAIN" to the list of disabledMechanisms on their
authentication provider object.</p>
<p>Note that the SimpleLDAP authentication provider requires PLAIN and so
this work around does not apply there.</p>
<h2 id="credit">Credit</h2>
<p>This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p>
<h2 id="references">References</h2>
<p><a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>