Google Git
Sign in
apache / qpid-site / 255aeca4bd52dc8a8e5d341d49d795b3c3d54f38 / . / content / cves / CVE-2018-8030.html
blob: 0ec8f871676d5e1f8562cae5f73fc50070402538 [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit</li></ul>
<div id="-middle-content">
<h1 id="cve-2018-8030-apache-qpid-broker-j-denial-of-service-vulnerability-when-amqp-0-80-91-messages-exceed-maximum-size-limit">CVE-2018-8030: Apache Qpid Broker-J Denial of Service Vulnerability when AMQP 0-8...0-91 messages exceed maximum size limit</h1>
<h2 id="severity">Severity</h2>
<p>Important</p>
<h2 id="affected-components">Affected components</h2>
<p>Qpid Broker-J</p>
<h2 id="affected-versions">Affected versions</h2>
<p>7.0.0, 7.0.1, 7.0.2, 7.0.3 and 7.0.4</p>
<h2 id="fixed-versions">Fixed versions</h2>
<p><a href="/releases/qpid-broker-j-7.0.5/index.html">7.0.5</a></p>
<h2 id="description">Description</h2>
<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J
versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to
publish messages with size greater than allowed maximum message size limit
(100MB by default). The broker crashes due to the defect. AMQP protocols
0-10 and 1.0 are not affected.</p>
<h2 id="resolution">Resolution</h2>
<p>Users of Broker-J versions 7.0.0-7.0.4 utilizing AMQP protocols 0-8, 0-9 or 0-91
for message publishing must upgrade to version 7.0.5 or later.</p>
<h2 id="mitigation">Mitigation</h2>
<p>If upgrade of the broker is not possible, the maximum message size limit can be
disabled by setting context variable "qpid.max_message_size" to "0" or
any negative value. The change can be made either directly in the broker
configuration file, or by using management interfaces (for example, REST API)
or by sing JVM option -Dqpid.max_message_size=0. A broker restart is required
for the change to take effect.
Alternatively, the support for AMQP protocols 0-8...0-91 can be
removed on AMQP ports.
The change can be made either directly in the broker configuration file
or by using management interfaces. An example of REST API call
restricting AMQP port to support only to AMQP 1.0 and AMQP 0-10 using curl
utility is provided below:</p>
<p><code>sh
curl --user &lt;user-name&gt; -X POST -d '{"protocols":["AMQP_1_0","AMQP_0_10"]}' https://&lt;broker host&gt;:&lt;broker port&gt;/api/latest/port/&lt;port name&gt;
</code></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://issues.apache.org/jira/browse/QPID-8203">QPID-8203</a></li>
<li><a href="https://qpid.apache.org/releases/qpid-broker-j-7.0.5/book/Java-Broker-Management-Channel-REST-API.html">REST API</a></li>
</ul>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>