Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1298

Опубликовано: 21 нояб. 2017
Источник: redhat
CVSS3: 7.5

Описание

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider can support several SASL mechanisms which are offered to the connecting clients as part of SASL negotiation process. The client chooses the most appropriate SASL mechanism for authentication. Authentication Providers of following types supports PLAIN SASL mechanism: Plain, PlainPasswordFile, SimpleLDAP, Base64MD5PasswordFile, MD5, SCRAM-SHA-256, SCRAM-SHA-1. XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2. If an AMQP port is configured with any of these Authentication Providers, the Broker may be vulnerable.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise MRG 2qpid-javaNot affected
Red Hat Enterprise MRG 3qpid-javaNot affected
Red Hat JBoss A-MQ 6qpid-javaNot affected
Red Hat JBoss Fuse 6qpid-javaNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-358
https://bugzilla.redhat.com/show_bug.cgi?id=1543717qpid-java: Incorrect implementation of some SASL mechanisms can allow a remote unauthenticated attacker to cause a denial of service

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2018-1298

CVSS3: 5.9
nvd
почти 8 лет назад

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider can support several SASL mechanisms which are offered to the connecting clients as part of SASL negotiation process. The client chooses the most appropriate SASL mechanism for authentication. Authentication Providers of following types supports PLAIN SASL mechanism: Plain, PlainPasswordFile, SimpleLDAP, Base64MD5PasswordFile, MD5, SCRAM-SHA-256, SCRAM-SHA-1. XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2. If an AMQP port is configured with any of these A

debian логотип

CVE-2018-1298

CVSS3: 5.9
debian
почти 8 лет назад

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7. ...

github логотип

GHSA-6w3v-66mj-2qm6

CVSS3: 5.9
github
больше 7 лет назад

Moderate severity vulnerability that affects org.apache.qpid:apache-qpid-broker-j

7.5 High

CVSS3