Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120809180145.GS1458@redhat.com>
Date: Thu, 9 Aug 2012 12:01:45 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2012-3467: Unauthorized access (authentication bypass) from
 client to broker due to use of NullAuthenticator in shadow connections

Just a heads up to advise those shipping qpid-cpp of the following flaw:

In the AMQP messaging scheme implementation each broker can have both, direct
connections and shadow connections. A shadow connection represents a connection
to another broker in the cluster. Members use shadow connections to simulate
the actions of other brokers, so that all members arrive at the same time.
Output for shadow connections is just discarded, brokers only send data to
their directly-connected clients.

A security flaw was found in the way the Qpid C++ libraries implementation,
used by AMQP client applications to exchange messages with an AMQP message
broker using the AMQP protocol, performed authentication for certain shadow
connections. An AMQP client application could issue a phoney shadow connection
to the AMQP broker, leading into situation that AMQP broker to consider the
connection it to be a legitimate connection from another AMQP broker,
subsequently using NullAuthenticator mechanism for authentication, allowing the
AMQP client application to bypass the authentication.


This has been assigned the name CVE-2012-3467.

References:

https://issues.apache.org/jira/browse/QPID-3849
http://svn.apache.org/viewvc?view=revision&revision=1352992
https://bugzilla.redhat.com/show_bug.cgi?id=836276

Also, as a aide note, this affects (possibly Red Hat-specific naming
convention) the qpid-cpp-server-cluster package, other qpid packages  are not
affected.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.