Google Git
Sign in
apache / qpid-site / 255aeca4bd52dc8a8e5d341d49d795b3c3d54f38 / . / content / cves / CVE-2018-1298.html
blob: 48552267d4e45f2c82aed5c4cce813a592538a5c [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</li></ul>
<div id="-middle-content">
<h1 id="cve-2018-1298-apache-qpid-broker-j-denial-of-service-vulnerability-with-plain-and-xoauth2-sasl-mechanisms">CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</h1>
<h2 id="severity">Severity</h2>
<p>Important</p>
<h2 id="affected-components">Affected components</h2>
<p>Qpid Broker-J</p>
<h2 id="affected-versions">Affected versions</h2>
<p>7.0.0</p>
<h2 id="fixed-versions">Fixed versions</h2>
<p><a href="/releases/qpid-broker-j-7.0.1/index.html">7.0.1</a></p>
<h2 id="description">Description</h2>
<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0
in functionality for authentication of connections for AMQP protocols 0-8, 0-9,
0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability
allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and
HTTP connections are not affected.</p>
<p>An authentication of incoming AMQP connections in Apache Qpid Broker-J is
performed by special entities called "Authentication Providers". Each
Authentication Provider can support several SASL mechanisms
which are offered to the connecting clients as part of SASL negotiation process.
The client chooses the most appropriate SASL mechanism for authentication.</p>
<p>Authentication Providers of following types supports PLAIN SASL mechanism:</p>
<ul>
<li>Plain</li>
<li>PlainPasswordFile</li>
<li>SimpleLDAP</li>
<li>Base64MD5PasswordFile</li>
<li>MD5</li>
<li>SCRAM-SHA-256</li>
<li>SCRAM-SHA-1</li>
</ul>
<p>XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.</p>
<p>If an AMQP port is configured with any of these Authentication Providers, the
Broker may be vulnerable.</p>
<h2 id="resolution">Resolution</h2>
<p>Users of Broker-J version 7.0.0 utilizing affected Authentication Providers on
AMQP ports with support for AMQP 0-8, 0-9, 0-91 or 0-10 must upgrade to version
7.0.1 or later.</p>
<h2 id="mitigation">Mitigation</h2>
<p>If upgrade of the broker is not possible, the SimpleLDAP and OAuth2 must be
replaced with an alternative provider. For the remaining affected types of
Authentication Providers the PLAIN SASL mechanism must be disabled by including
"PLAIN" in the "disabledMechanisms" attribute of the provider. The changes can
be made either directly in the broker configuration file or via management
interfaces (for example, REST API]). A broker restart is required for the
changes to take effect. Here is a template for curl utility call to disable
PLAIN mechanism using REST API:</p>
<p><code>sh
curl --user &lt;user-name&gt; -X POST -d '{"disabledMechanisms":["PLAIN"]}' https://&lt;broker host&gt;:&lt;broker https port&gt;/api/latest/authenticationprovider/&lt;provider name&gt;
</code></p>
<p>Alternatively, when only AMQP 1.0 protocol is used, the support for older AMQP
protocols can be removed on the AMQP port. It can be done either from Broker-J
Web Management Console or via management interfaces. A broker restart is
required for the changes to take effect. Here is a template for curl REST API
call to restrict port supported AMQP protocols to AMQP 1.0:</p>
<p><code>sh
curl --user &lt;user-name&gt; -X POST -d '{"protocols":["AMQP_1_0"]}' https://&lt;broker host&gt;:&lt;broker https port&gt;/api/latest/port/&lt;port name&gt;
</code></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://issues.apache.org/jira/browse/QPID-8046">QPID-8046</a></li>
<li><a href="https://qpid.apache.org/releases/qpid-broker-j-7.0.0/book/Java-Broker-Management-Channel-REST-API.html">REST API</a></li>
</ul>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>