| <!DOCTYPE html> |
| <!-- |
| - |
| - Licensed to the Apache Software Foundation (ASF) under one |
| - or more contributor license agreements. See the NOTICE file |
| - distributed with this work for additional information |
| - regarding copyright ownership. The ASF licenses this file |
| - to you under the Apache License, Version 2.0 (the |
| - "License"); you may not use this file except in compliance |
| - with the License. You may obtain a copy of the License at |
| - |
| - http://www.apache.org/licenses/LICENSE-2.0 |
| - |
| - Unless required by applicable law or agreed to in writing, |
| - software distributed under the License is distributed on an |
| - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| - KIND, either express or implied. See the License for the |
| - specific language governing permissions and limitations |
| - under the License. |
| - |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> |
| <head> |
| <title>CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms - Apache Qpid™</title> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> |
| <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> |
| <script type="text/javascript">var _deferredFunctions = [];</script> |
| <script type="text/javascript" src="/deferred.js" defer="defer"></script> |
| <!--[if lte IE 8]> |
| <link rel="stylesheet" href="/ie.css" type="text/css"/> |
| <script type="text/javascript" src="/html5shiv.js"></script> |
| <![endif]--> |
| |
| <!-- Redirects for `go get` and godoc.org --> |
| <meta name="go-import" |
| content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> |
| <meta name="go-source" |
| content="qpid.apache.org |
| https://github.com/apache/qpid-proton/blob/go1/README.md |
| https://github.com/apache/qpid-proton/tree/go1{/dir} |
| https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> |
| </head> |
| <body> |
| <div id="-content"> |
| <div id="-top" class="panel"> |
| <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> |
| |
| <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> |
| |
| <ul id="-global-navigation"> |
| <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> |
| <li><a href="/documentation.html">Documentation</a></li> |
| <li><a href="/download.html">Download</a></li> |
| <li><a href="/discussion.html">Discussion</a></li> |
| </ul> |
| </div> |
| |
| <div id="-menu" class="panel" style="display: none;"> |
| <div class="flex"> |
| <section> |
| <h3>Project</h3> |
| |
| <ul> |
| <li><a href="/overview.html">Overview</a></li> |
| <li><a href="/components/index.html">Components</a></li> |
| <li><a href="/releases/index.html">Releases</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Messaging APIs</h3> |
| |
| <ul> |
| <li><a href="/proton/index.html">Qpid Proton</a></li> |
| <li><a href="/components/jms/index.html">Qpid JMS</a></li> |
| <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Servers and tools</h3> |
| |
| <ul> |
| <li><a href="/components/broker-j/index.html">Broker-J</a></li> |
| <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> |
| <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Resources</h3> |
| |
| <ul> |
| <li><a href="/dashboard.html">Dashboard</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> |
| <li><a href="/resources.html">More resources</a></li> |
| </ul> |
| </section> |
| </div> |
| </div> |
| |
| <div id="-search" class="panel" style="display: none;"> |
| <form action="http://www.google.com/search" method="get"> |
| <input type="hidden" name="sitesearch" value="qpid.apache.org"/> |
| <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> |
| <button type="submit">Search</button> |
| <a href="/search.html">More ways to search</a> |
| </form> |
| </div> |
| |
| <div id="-middle" class="panel"> |
| <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</li></ul> |
| |
| <div id="-middle-content"> |
| <h1 id="cve-2018-1298-apache-qpid-broker-j-denial-of-service-vulnerability-with-plain-and-xoauth2-sasl-mechanisms">CVE-2018-1298: Apache Qpid Broker-J Denial of Service Vulnerability with PLAIN and XOAUTH2 SASL mechanisms</h1> |
| |
| <h2 id="severity">Severity</h2> |
| |
| <p>Important</p> |
| |
| <h2 id="affected-components">Affected components</h2> |
| |
| <p>Qpid Broker-J</p> |
| |
| <h2 id="affected-versions">Affected versions</h2> |
| |
| <p>7.0.0</p> |
| |
| <h2 id="fixed-versions">Fixed versions</h2> |
| |
| <p><a href="/releases/qpid-broker-j-7.0.1/index.html">7.0.1</a></p> |
| |
| <h2 id="description">Description</h2> |
| |
| <p>A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 |
| in functionality for authentication of connections for AMQP protocols 0-8, 0-9, |
| 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability |
| allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and |
| HTTP connections are not affected.</p> |
| |
| <p>An authentication of incoming AMQP connections in Apache Qpid Broker-J is |
| performed by special entities called "Authentication Providers". Each |
| Authentication Provider can support several SASL mechanisms |
| which are offered to the connecting clients as part of SASL negotiation process. |
| The client chooses the most appropriate SASL mechanism for authentication.</p> |
| |
| <p>Authentication Providers of following types supports PLAIN SASL mechanism:</p> |
| |
| <ul> |
| <li>Plain</li> |
| <li>PlainPasswordFile</li> |
| <li>SimpleLDAP</li> |
| <li>Base64MD5PasswordFile</li> |
| <li>MD5</li> |
| <li>SCRAM-SHA-256</li> |
| <li>SCRAM-SHA-1</li> |
| </ul> |
| |
| <p>XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2.</p> |
| |
| <p>If an AMQP port is configured with any of these Authentication Providers, the |
| Broker may be vulnerable.</p> |
| |
| <h2 id="resolution">Resolution</h2> |
| |
| <p>Users of Broker-J version 7.0.0 utilizing affected Authentication Providers on |
| AMQP ports with support for AMQP 0-8, 0-9, 0-91 or 0-10 must upgrade to version |
| 7.0.1 or later.</p> |
| |
| <h2 id="mitigation">Mitigation</h2> |
| |
| <p>If upgrade of the broker is not possible, the SimpleLDAP and OAuth2 must be |
| replaced with an alternative provider. For the remaining affected types of |
| Authentication Providers the PLAIN SASL mechanism must be disabled by including |
| "PLAIN" in the "disabledMechanisms" attribute of the provider. The changes can |
| be made either directly in the broker configuration file or via management |
| interfaces (for example, REST API]). A broker restart is required for the |
| changes to take effect. Here is a template for curl utility call to disable |
| PLAIN mechanism using REST API:</p> |
| |
| <p><code>sh |
| curl --user <user-name> -X POST -d '{"disabledMechanisms":["PLAIN"]}' https://<broker host>:<broker https port>/api/latest/authenticationprovider/<provider name> |
| </code></p> |
| |
| <p>Alternatively, when only AMQP 1.0 protocol is used, the support for older AMQP |
| protocols can be removed on the AMQP port. It can be done either from Broker-J |
| Web Management Console or via management interfaces. A broker restart is |
| required for the changes to take effect. Here is a template for curl REST API |
| call to restrict port supported AMQP protocols to AMQP 1.0:</p> |
| |
| <p><code>sh |
| curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' https://<broker host>:<broker https port>/api/latest/port/<port name> |
| </code></p> |
| |
| <h2 id="references">References</h2> |
| |
| <ul> |
| <li><a href="https://issues.apache.org/jira/browse/QPID-8046">QPID-8046</a></li> |
| <li><a href="https://qpid.apache.org/releases/qpid-broker-j-7.0.0/book/Java-Broker-Management-Channel-REST-API.html">REST API</a></li> |
| </ul> |
| |
| |
| <hr/> |
| |
| <ul id="-apache-navigation"> |
| <li><a href="http://www.apache.org/">Apache</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="/security.html">Security</a></li> |
| <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> |
| </ul> |
| |
| <p id="-legal"> |
| Apache Qpid, Messaging built on AMQP; Copyright © 2015 |
| The Apache Software Foundation; Licensed under |
| the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache |
| License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, |
| Proton, Apache, the Apache feather logo, and the Apache Qpid |
| project logo are trademarks of The Apache Software |
| Foundation; All other marks mentioned may be trademarks or |
| registered trademarks of their respective owners |
| </p> |
| </div> |
| </div> |
| </div> |
| </body> |
| </html> |