content/cves/CVE-2016-4432.html

<!DOCTYPE html>
<!--
 -
 - Licensed to the Apache Software Foundation (ASF) under one
 - or more contributor license agreements.  See the NOTICE file
 - distributed with this work for additional information
 - regarding copyright ownership.  The ASF licenses this file
 - to you under the Apache License, Version 2.0 (the
 - "License"); you may not use this file except in compliance
 - with the License.  You may obtain a copy of the License at
 -
 -   http://www.apache.org/licenses/LICENSE-2.0
 -
 - Unless required by applicable law or agreed to in writing,
 - software distributed under the License is distributed on an
 - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 - KIND, either express or implied.  See the License for the
 - specific language governing permissions and limitations
 - under the License.
 -
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  <head>
    <title>CVE-2016-4432 - Apache Qpid&#8482;</title>
    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
    <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
    <script type="text/javascript">var _deferredFunctions = [];</script>
    <script type="text/javascript" src="/deferred.js" defer="defer"></script>
    <!--[if lte IE 8]>
      <link rel="stylesheet" href="/ie.css" type="text/css"/>
      <script type="text/javascript" src="/html5shiv.js"></script>
    <![endif]-->

    <!-- Redirects for `go get` and godoc.org -->
    <meta name="go-import"
          content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
    <meta name="go-source"
          content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
  </head>
  <body>
    <div id="-content">
      <div id="-top" class="panel">
        <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

        <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

        <ul id="-global-navigation">
          <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
          <li><a href="/documentation.html">Documentation</a></li>
          <li><a href="/download.html">Download</a></li>
          <li><a href="/discussion.html">Discussion</a></li>
        </ul>
      </div>

      <div id="-menu" class="panel" style="display: none;">
        <div class="flex">
          <section>
            <h3>Project</h3>

            <ul>
              <li><a href="/overview.html">Overview</a></li>
              <li><a href="/components/index.html">Components</a></li>
              <li><a href="/releases/index.html">Releases</a></li>
            </ul>
          </section>

          <section>
            <h3>Messaging APIs</h3>

            <ul>
              <li><a href="/proton/index.html">Qpid Proton</a></li>
              <li><a href="/components/jms/index.html">Qpid JMS</a></li>
              <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
            </ul>
          </section>

          <section>
            <h3>Servers and tools</h3>

            <ul>
              <li><a href="/components/broker-j/index.html">Broker-J</a></li>
              <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
              <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
            </ul>
          </section>

          <section>
            <h3>Resources</h3>

            <ul>
              <li><a href="/dashboard.html">Dashboard</a></li>
              <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
              <li><a href="/resources.html">More resources</a></li>
            </ul>
          </section>
        </div>
      </div>

      <div id="-search" class="panel" style="display: none;">
        <form action="http://www.google.com/search" method="get">
          <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
          <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
          <button type="submit">Search</button>
          <a href="/search.html">More ways to search</a>
        </form>
      </div>

      <div id="-middle" class="panel">
        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4432</li></ul>

        <div id="-middle-content">
          <h1 id="cve-2016-4432">CVE-2016-4432</h1>

<h2 id="severity">Severity</h2>

<p>Important</p>

<h2 id="affected-components">Affected components</h2>

<p>Qpid Broker-J</p>

<h2 id="affected-versions">Affected versions</h2>

<p>6.0.2 and earlier</p>

<h2 id="fixed-versions">Fixed versions</h2>

<p><a href="/releases/qpid-java-6.0.3/index.html">6.0.3</a></p>

<h2 id="description">Description</h2>

<p>The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and
0-10 connections contains a flaw that allows authentication to be
bypassed.  An remote attacker can exploit this vulnerability to
perform actions, without the need to specify valid credentials.  For
instance, unauthorised messages could be injected or messages stolen.</p>

<p>The vulnerability cannot be exploited if the Access Control List (ACL)
feature is enabled AND access to all virtual hosts controlled.</p>

<p>The vulnerability does not apply to the Broker's AMQP 1.0 support.</p>

<p>The vulnerability does not apply if the Broker is configured to
require SSL client authentication for all messaging connections.</p>

<h2 id="resolution">Resolution</h2>

<p>Users should upgrade the Apache Qpid Broker-J to
version 6.0.3 or later (recommended).</p>

<h2 id="mitigation">Mitigation</h2>

<p>If upgrading is not possible, the vulnerability can be mitigated using
an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists
user access to all virtualhosts.</p>

<p>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the
vulnerability can also be mitigated by turning off these protocols at
the Port level.</p>

<h2 id="references">References</h2>

<p><a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p>


          <hr/>

          <ul id="-apache-navigation">
            <li><a href="http://www.apache.org/">Apache</a></li>
            <li><a href="http://www.apache.org/licenses/">License</a></li>
            <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
            <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
            <li><a href="/security.html">Security</a></li>
            <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
          </ul>

          <p id="-legal">
            Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
            The Apache Software Foundation; Licensed under
            the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
            License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
            Proton, Apache, the Apache feather logo, and the Apache Qpid
            project logo are trademarks of The Apache Software
            Foundation; All other marks mentioned may be trademarks or
            registered trademarks of their respective owners
          </p>
        </div>
      </div>
    </div>
  </body>
</html>