Apache Qpid Two Denial of Service Vulnerabilities
Release Date : 2013-03-07
Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Workaround
Software: Apache Qpid 0.x
Two vulnerabilities have been reported in Apache Qpid, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).
1) An error when decoding AMQP types in certain messages can be exploited to exhaust memory resources and subsequently terminate the server process via a specially crafted client-properties map in a connection.start-ok message.
2) An integer overflow error in the "qpid::framing::Buffer::checkAvailable()" function (qpid/cpp/include/qpid/framing/Buffer.h) can be exploited to cause a buffer overflow.
Fixed in the SVN repository.
Provided and/or discovered by:
Florian Weimer, Red Hat Product Security Team.