Apache Fixes Message Broker Software

Tuesday, January 20, 2015 @ 11:01 AM gHale

Apache fixed its message broker software for a vulnerability that caused its process to crash.

A message broker intermediates communication between applications and gives them the possibility to access other databases.

Android Malware Packaged with HTML5 Apps
Mobile RAT Targets iOS, Android
Domain Names Seized
Trojan Variant Uses Grammar Tool

The weakness affecting Apache’s Qpid, now classified as CVE-2015-0203, is one of moderate severity and consists of some unexpected protocol sequences that can lead to a crash of qpidd’s activity. The issue can lead to a denial of service (DoS).

There are three scenarios where the crash can occur. One of them is an Advanced Message Queuing Protocol (AMQP) defining a sequence set that contained ID ranges. Delivering the qpidd broker a “sequence-set containing an invalid range, where the start of the range is after the end” caused it to crash.

A second scenario is the AMQP to define header- and body-segments that may follow certain commands. If a different command than the “message-transfer” goes to qpidd, then the process will exit.

The third case would be when AMQP defines a session-gap control that can go out on any established session.

“The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting,” the Apache advisory said.

To mitigate the issue, Apache Software Foundation released a patch for versions 0.30 and lower of the product, which updates to revision 0.31. All future releases will have the problem eliminated.

Leave a Reply

You must be logged in to post a comment.