First published: Thu Jun 28 2012(Updated: )
In the AMQP messaging scheme implementation each broker can have both, direct connections and shadow connections. A shadow connection represents a connection to another broker in the cluster. Members use shadow connections to simulate the actions of other brokers, so that all members arrive at the same time. Output for shadow connections is just discarded, brokers only send data to their directly-connected clients. A security flaw was found in the way the Apache Qpid C++ implementation performed authentication of connections creating "catch-up" shadow connections, which are used when broker joins the cluster. An AMQP client could use this to fake shadow connections to the AMQP broker. This issue was caused by using NullAuthenticator mechanism for authenticating these "catch-up" shadow connection and was fixed by making broker require authentication. Upstream ticket: [1] <a href="https://issues.apache.org/jira/browse/QPID-3849">https://issues.apache.org/jira/browse/QPID-3849</a> Relevant upstream patch: [2] <a href="http://svn.apache.org/viewvc?view=revision&revision=1352992">http://svn.apache.org/viewvc?view=revision&revision=1352992</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Qpid | <=0.16 | |
Apache Qpid | =0.5 | |
Apache Qpid | =0.6 | |
Apache Qpid | =0.14 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.