Apache Qpid Cluster Broker Authentication Security Bypass
Apache Qpid Cluster Broker Authentication Security Bypass Security Issue
Release Date : 2012-05-01
Criticality level : Moderately critical
Ipact : Security Bypass
Where : From local network
Solution Status : Vendor Workaround
Software: Apache Qpid 0.x
A security issue has been reported in Apache Qpid, which can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to the application not verifying the password or SASL credentials when joining a cluster using a cluster-username, which can be exploited to gain unauthorised access to the cluster via a malicious broker.
Successful exploitation requires the knowledge of a valid cluster-username.
The security issue is reported in version 0.12. Other versions may also be affected.
Fixed in the SVN repository.
Provided and/or discovered by:
Reported in a Red Hat bug report.
Red Hat Bug#747078: