Apache Qpid Java 6.0.2 Denial Of Service Vulnerability
5 Aug. 2016
PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.
A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable
authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwordsbeing sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an uncaught Exception. Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on
non-TLS ports, but enabled on TLS connections).