Описание
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
Отчет
This issue did not affect the versions of the qpid -java broker as shipped with Red Hat MRG 2 and 3 and Satellite 6 as they did not use the access feature (e.g. Satellite 6 relies on client certificate authentication to control access).
Меры по смягчению последствий
If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts. If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise MRG 2 | qpid-java | Will not fix | ||
| Red Hat Enterprise MRG 3 | qpid-java | Will not fix | ||
| Red Hat Satellite 6 | qpid-java | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS2
Связанные уязвимости
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid J ...
AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication
EPSS
6.8 Medium
CVSS2