Apache Qpid Java Broker Authentication Bypass Vulnerability (CVE-2016-4432)

Critical Vulnerability Information CVE ID: CVE-2016-4432 Vulnerability Type: Authentication Bypass Severity: Important Affected Versions Affected Versions: Qpid Java Broker versions 6.0.2 and earlier Description Vulnerability Description: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. A remote attacker can exploit this vulnerability to perform actions without the need to specify valid credentials. For instance, unauthorized messages could be injected or messages stolen. Unaffected Scenarios: - The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts is controlled. - The vulnerability does not apply to the Broker's AMQP 1.0 support. - The vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections. Solution Remediation: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended). Mitigation Measures Mitigation: - If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-list user access to all virtual hosts. - If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level. Reference Links Reference: https://issues.apache.org/jira/browse/QPID-7257

Goal Reached Thanks to every supporter — we hit 100%!

Apache Qpid Java Broker Authentication Bypass Vulnerability (CVE-2016-4432)