14 DAY TRIAL // Apache’s message broker software Qpid received a fix on Tuesday, for a vulnerability that caused its process to crash.
A message broker intermediates communication between applications and gives them the possibility to access other databases than the ones they’ve been created for.
The weakness affecting Qpid, now classified as CVE-2015-0203, is marked as having moderate severity and consists in the fact that some unexpected protocol sequences lead to sudden termination of qpidd’s activity.
The context of the problem includes an authenticated user; with multiple users logged in, the glitch may be viewed as a form of denial of service (DoS).
Crash occurs under several conditions
There have been identified three scenarios where the crash can occur. One of them refers to the Advanced Message Queuing Protocol (AMQP) defining a sequence set that contained ID ranges. Delivering the qpidd broker a “sequence-set containing an invalid range, where the start of the range is after the end” caused it to crash.
A second condition is the AMQP to define header- and body- segments that may follow certain commands; if a different command than the “message-transfer” is sent to qpidd, then the process will exit.
The third case would be when AMQP defines a session-gap control that can be sent on any established session.
“The qpidd broker does not support this control and responds with an appropriate error if requested on an established session. However, if the control is sent before the session is opened, the brokers handling causes an assertion which results in the broker process exiting,” the advisory from Apache reads.
All Qpid versions are affected, save the latest
To mitigate the issue, Apache Software Foundation has released a patch for versions 0.30 and lower of the product, which updates to revision 0.31. All future releases will have the problem eliminated.
The fix addresses all the aforementioned errors by delivering an exception control to the remote client and keeping the message broker up and running for all the others.