CVE-2012-2145 – qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS
https://notcve.org/view.php?id=CVE-2012-2145
Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections. Apache Qpid v0.17 y anteriores no restringe correctamente las conexiones entrantes de clientes, lo que permite a atacantes remotos provocar una denegación de servicio a través de un gran número de conexiones incompletas. • http://rhn.redhat.com/errata/RHSA-2012-1269.html http://rhn.redhat.com/errata/RHSA-2012-1277.html http://secunia.com/advisories/50573 http://secunia.com/advisories/50698 http://secunia.com/advisories/50699 http://www.securityfocus.com/bid/55608 https://bugzilla.redhat.com/show_bug.cgi?id=817175 https://exchange.xforce.ibmcloud.com/vulnerabilities/78730 https://issues.apache.org/jira/browse/QPID-2616 https://issues.apache.org/jira/browse/QPID-4021 https://access.redhat. • CWE-399: Resource Management Errors •
CVE-2012-3467 – qpid-cpp-server-cluster: unauthorized broker access caused by the use of NullAuthenticator catch-up shadow connections
https://notcve.org/view.php?id=CVE-2012-3467
Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. Apache Qpid v0.14, v0.16, y anteriores utiliza un mecanismo NullAuthenticator para autenticar conexiones de puesta al día de sombra a los corredores AMQP, lo que permite a atacantes remotos evitar la autenticación. • http://rhn.redhat.com/errata/RHSA-2012-1277.html http://rhn.redhat.com/errata/RHSA-2012-1279.html http://secunia.com/advisories/50186 http://secunia.com/advisories/50698 http://svn.apache.org/viewvc?view=revision&revision=1352992 http://www.openwall.com/lists/oss-security/2012/08/09/6 http://www.securityfocus.com/bid/54954 https://bugzilla.redhat.com/show_bug.cgi?id=836276 https://exchange.xforce.ibmcloud.com/vulnerabilities/77568 https://issues.apache.org/jira/browse/ • CWE-287: Improper Authentication •
CVE-2011-3620 – qpid-cpp: cluster authentication ignores cluster-* settings
https://notcve.org/view.php?id=CVE-2011-3620
Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username. Apache Qpid v0.12 no verifica correctamente las credenciales durante la unión de un grupo, lo que permite a atacantes remotos obtener acceso a la funcionalidad de mensajería y funcionalidad de trabajo de un grupo mediante el aprovechamiento de los conocimientos, nombre de usuario. • http://secunia.com/advisories/49000 http://www.securitytracker.com/id?1026990 https://bugzilla.redhat.com/show_bug.cgi?id=747078 https://issues.apache.org/jira/browse/QPID-3652 https://reviews.apache.org/r/2988 https://access.redhat.com/security/cve/CVE-2011-3620 • CWE-287: Improper Authentication •
CVE-2009-5005 – qpid: crash on receipt of invalid AMQP data
https://notcve.org/view.php?id=CVE-2009-5005
The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache Qpid, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote attackers to cause a denial of service (daemon crash and cluster outage) via invalid AMQP data. La función Cluster::deliveredEvent de cluster/Cluster.cpp de Apache Qpid, tal como es utilizada en Red Hat Enterprise MRG en versiones anteriores a la v1.3 y otros productos, permite a atacantes remotos provocar una denegación de servicio (caída del servicio y del cluster) a través de datos AMQP inválidos. • http://secunia.com/advisories/41710 http://secunia.com/advisories/41812 http://svn.apache.org/viewvc?revision=785788&view=revision http://www.vupen.com/english/advisories/2010/2684 https://bugzilla.redhat.com/show_bug.cgi?id=642373 https://rhn.redhat.com/errata/RHSA-2010-0773.html https://rhn.redhat.com/errata/RHSA-2010-0774.html https://access.redhat.com/security/cve/CVE-2009-5005 •
CVE-2009-5006 – qpid: crash when redeclaring the exchange with specified alternate_exchange
https://notcve.org/view.php?id=CVE-2009-5006
The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in broker/SessionAdapter.cpp in the C++ Broker component in Apache Qpid before 0.6, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote authenticated users to cause a denial of service (NULL pointer dereference, daemon crash, and cluster outage) by attempting to modify the alternate of an exchange. La función SessionAdapter::ExchangeHandlerImpl::checkAlternate de broker/SessionAdapter.cpp del componente C++ Broker de Apache Qpid en versiones anteriores a la v0.6, tal como es utilizado en Red Hat Enterprise MRG en versiones anteriores a la v1.3 y otros productos, permite a usuarios autenticados remotos provocar una denegación de servicio (resolución de puntero NULL, caída del demonio, y apagón del cluster) tratando de modificar el suplente de un intercambio. • http://secunia.com/advisories/41710 http://secunia.com/advisories/41812 http://svn.apache.org/viewvc?revision=811188&view=revision http://www.vupen.com/english/advisories/2010/2684 https://bugzilla.redhat.com/show_bug.cgi?id=642377 https://issues.apache.org/jira/browse/QPID-2080 https://rhn.redhat.com/errata/RHSA-2010-0773.html https://rhn.redhat.com/errata/RHSA-2010-0774.html https://access.redhat.com/security/cve/CVE-2009-5006 •