content/cves/CVE-2019-0200.html - qpid-site - Git at Google

 <!DOCTYPE html>
 <!--
  -
  - Licensed to the Apache Software Foundation (ASF) under one
  - or more contributor license agreements.  See the NOTICE file
  - distributed with this work for additional information
  - regarding copyright ownership.  The ASF licenses this file
  - to you under the Apache License, Version 2.0 (the
  - "License"); you may not use this file except in compliance
  - with the License.  You may obtain a copy of the License at
  -
  -   http://www.apache.org/licenses/LICENSE-2.0
  -
  - Unless required by applicable law or agreed to in writing,
  - software distributed under the License is distributed on an
  - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  - KIND, either express or implied.  See the License for the
  - specific language governing permissions and limitations
  - under the License.
  -
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
     <title>CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands - Apache Qpid&#8482;</title>
     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
     <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
     <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
     <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
     <script type="text/javascript">var _deferredFunctions = [];</script>
     <script type="text/javascript" src="/deferred.js" defer="defer"></script>
     <!--[if lte IE 8]>
       <link rel="stylesheet" href="/ie.css" type="text/css"/>
       <script type="text/javascript" src="/html5shiv.js"></script>
     <![endif]-->

     <!-- Redirects for `go get` and godoc.org -->
     <meta name="go-import"
           content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
     <meta name="go-source"
           content="qpid.apache.org
 https://github.com/apache/qpid-proton/blob/go1/README.md
 https://github.com/apache/qpid-proton/tree/go1{/dir}
 https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
   </head>
   <body>
     <div id="-content">
       <div id="-top" class="panel">
         <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

         <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

         <ul id="-global-navigation">
           <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
           <li><a href="/documentation.html">Documentation</a></li>
           <li><a href="/download.html">Download</a></li>
           <li><a href="/discussion.html">Discussion</a></li>
         </ul>
       </div>

       <div id="-menu" class="panel" style="display: none;">
         <div class="flex">
           <section>
             <h3>Project</h3>

             <ul>
               <li><a href="/overview.html">Overview</a></li>
               <li><a href="/components/index.html">Components</a></li>
               <li><a href="/releases/index.html">Releases</a></li>
             </ul>
           </section>

           <section>
             <h3>Messaging APIs</h3>

             <ul>
               <li><a href="/proton/index.html">Qpid Proton</a></li>
               <li><a href="/components/jms/index.html">Qpid JMS</a></li>
               <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
             </ul>
           </section>

           <section>
             <h3>Servers and tools</h3>

             <ul>
               <li><a href="/components/broker-j/index.html">Broker-J</a></li>
               <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
               <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
             </ul>
           </section>

           <section>
             <h3>Resources</h3>

             <ul>
               <li><a href="/dashboard.html">Dashboard</a></li>
               <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
               <li><a href="/resources.html">More resources</a></li>
             </ul>
           </section>
         </div>
       </div>

       <div id="-search" class="panel" style="display: none;">
         <form action="http://www.google.com/search" method="get">
           <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
           <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
           <button type="submit">Search</button>
           <a href="/search.html">More ways to search</a>
         </form>
       </div>

       <div id="-middle" class="panel">
         <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</li></ul>

         <div id="-middle-content">
           <h1 id="cve-2019-0200-apache-qpid-broker-j-denial-of-service-due-to-malformed-amqp-0-8-to-0-10-commands">CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</h1>

 <h2 id="severity">Severity</h2>

 <p>Critical</p>

 <h2 id="affected-components">Affected components</h2>

 <p>Qpid Broker-J</p>

 <h2 id="affected-versions">Affected versions</h2>

 <p>6.0.0-7.0.6 and 7.1.0</p>

 <h2 id="fixed-versions">Fixed versions</h2>

 <p>7.0.7, 7.1.1</p>

 <h2 id="description">Description</h2>

 <p>A Denial of Service vulnerability was found in Apache Qpid Broker-J
 versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
 attacker to crash the broker instance by sending specially crafted
 commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
 0-10).</p>

 <h2 id="resolution">Resolution</h2>

 <p>Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid
 Broker-J versions 7.0.7 or 7.1.1 or later.</p>

 <h2 id="mitigation">Mitigation</h2>

 <p>If upgrade of the broker is not possible, the support for AMQP protocols
 0-8...0-10 can be disabled on AMQP ports. The change can be made either
 directly in the broker configuration file or by using management interfaces.</p>

 <p>An example of REST API call restricting AMQP port to support only AMQP 1.0
 using curl utility is provided below:</p>

 <p><code>sh
 curl --user &lt;user-name&gt; -X POST  -d '{"protocols":["AMQP_1_0"]}' https://&lt;broker host&gt;:&lt;broker port&gt;/api/latest/port/&lt;port name&gt;
 </code></p>

 <h2 id="references">References</h2>

 <ul>
 <li><a href="https://issues.apache.org/jira/browse/QPID-8273">QPID-8273</a></li>
 </ul>


           <hr/>

           <ul id="-apache-navigation">
             <li><a href="http://www.apache.org/">Apache</a></li>
             <li><a href="http://www.apache.org/licenses/">License</a></li>
             <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
             <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
             <li><a href="/security.html">Security</a></li>
             <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
           </ul>

           <p id="-legal">
             Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
             The Apache Software Foundation; Licensed under
             the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
             License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
             Proton, Apache, the Apache feather logo, and the Apache Qpid
             project logo are trademarks of The Apache Software
             Foundation; All other marks mentioned may be trademarks or
             registered trademarks of their respective owners
           </p>
         </div>
       </div>
     </div>
   </body>
 </html>
	<!DOCTYPE html>
	<!--
	-
	- Licensed to the Apache Software Foundation (ASF) under one
	- or more contributor license agreements. See the NOTICE file
	- distributed with this work for additional information
	- regarding copyright ownership. The ASF licenses this file
	- to you under the Apache License, Version 2.0 (the
	- "License"); you may not use this file except in compliance
	- with the License. You may obtain a copy of the License at
	-
	- http://www.apache.org/licenses/LICENSE-2.0
	-
	- Unless required by applicable law or agreed to in writing,
	- software distributed under the License is distributed on an
	- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	- KIND, either express or implied. See the License for the
	- specific language governing permissions and limitations
	- under the License.
	-
	-->
	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
	<head>
	<title>CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands - Apache Qpid™</title>
	<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
	<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
	<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
	<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
	<script type="text/javascript">var _deferredFunctions = [];</script>
	<script type="text/javascript" src="/deferred.js" defer="defer"></script>
	<!--[if lte IE 8]>
	<link rel="stylesheet" href="/ie.css" type="text/css"/>
	<script type="text/javascript" src="/html5shiv.js"></script>
	<![endif]-->

	<!-- Redirects for `go get` and godoc.org -->
	<meta name="go-import"
	content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
	<meta name="go-source"
	content="qpid.apache.org
	https://github.com/apache/qpid-proton/blob/go1/README.md
	https://github.com/apache/qpid-proton/tree/go1{/dir}
	https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
	</head>
	<body>
	<div id="-content">
	<div id="-top" class="panel">
	<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

	<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

	<ul id="-global-navigation">
	<li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
	<li><a href="/documentation.html">Documentation</a></li>
	<li><a href="/download.html">Download</a></li>
	<li><a href="/discussion.html">Discussion</a></li>
	</ul>
	</div>

	<div id="-menu" class="panel" style="display: none;">
	<div class="flex">
	<section>
	<h3>Project</h3>

	<ul>
	<li><a href="/overview.html">Overview</a></li>
	<li><a href="/components/index.html">Components</a></li>
	<li><a href="/releases/index.html">Releases</a></li>
	</ul>
	</section>

	<section>
	<h3>Messaging APIs</h3>

	<ul>
	<li><a href="/proton/index.html">Qpid Proton</a></li>
	<li><a href="/components/jms/index.html">Qpid JMS</a></li>
	<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
	</ul>
	</section>

	<section>
	<h3>Servers and tools</h3>

	<ul>
	<li><a href="/components/broker-j/index.html">Broker-J</a></li>
	<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
	<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
	</ul>
	</section>

	<section>
	<h3>Resources</h3>

	<ul>
	<li><a href="/dashboard.html">Dashboard</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
	<li><a href="/resources.html">More resources</a></li>
	</ul>
	</section>
	</div>
	</div>

	<div id="-search" class="panel" style="display: none;">
	<form action="http://www.google.com/search" method="get">
	<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
	<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
	<button type="submit">Search</button>
	<a href="/search.html">More ways to search</a>
	</form>
	</div>

	<div id="-middle" class="panel">
	<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</li></ul>

	<div id="-middle-content">
	<h1 id="cve-2019-0200-apache-qpid-broker-j-denial-of-service-due-to-malformed-amqp-0-8-to-0-10-commands">CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands</h1>

	<h2 id="severity">Severity</h2>

	<p>Critical</p>

	<h2 id="affected-components">Affected components</h2>

	<p>Qpid Broker-J</p>

	<h2 id="affected-versions">Affected versions</h2>

	<p>6.0.0-7.0.6 and 7.1.0</p>

	<h2 id="fixed-versions">Fixed versions</h2>

	<p>7.0.7, 7.1.1</p>

	<h2 id="description">Description</h2>

	<p>A Denial of Service vulnerability was found in Apache Qpid Broker-J
	versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated
	attacker to crash the broker instance by sending specially crafted
	commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and
	0-10).</p>

	<h2 id="resolution">Resolution</h2>

	<p>Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0
	utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid
	Broker-J versions 7.0.7 or 7.1.1 or later.</p>

	<h2 id="mitigation">Mitigation</h2>

	<p>If upgrade of the broker is not possible, the support for AMQP protocols
	0-8...0-10 can be disabled on AMQP ports. The change can be made either
	directly in the broker configuration file or by using management interfaces.</p>

	<p>An example of REST API call restricting AMQP port to support only AMQP 1.0
	using curl utility is provided below:</p>

	<p><code>sh
	curl --user <user-name> -X POST -d '{"protocols":["AMQP_1_0"]}' https://<broker host>:<broker port>/api/latest/port/<port name>
	</code></p>

	<h2 id="references">References</h2>

	<ul>
	<li><a href="https://issues.apache.org/jira/browse/QPID-8273">QPID-8273</a></li>
	</ul>


	<hr/>

	<ul id="-apache-navigation">
	<li><a href="http://www.apache.org/">Apache</a></li>
	<li><a href="http://www.apache.org/licenses/">License</a></li>
	<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
	<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
	<li><a href="/security.html">Security</a></li>
	<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
	</ul>

	<p id="-legal">
	Apache Qpid, Messaging built on AMQP; Copyright © 2015
	The Apache Software Foundation; Licensed under
	the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
	License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
	Proton, Apache, the Apache feather logo, and the Apache Qpid
	project logo are trademarks of The Apache Software
	Foundation; All other marks mentioned may be trademarks or
	registered trademarks of their respective owners
	</p>
	</div>
	</div>
	</div>
	</body>
	</html>