The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2016-4432 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect the versions of the qpid -java broker as shipped with Red Hat MRG 2 and 3 and Satellite 6 as they did not use the access feature (e.g. Satellite 6 relies on client certificate authentication to control access).
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | qpid-java | Will not fix |
| Red Hat Enterprise MRG 3 | qpid-java | Will not fix |
| Red Hat Enterprise MRG 2 | qpid-java | Will not fix |
If upgrading is not possible, the vulnerability can be mitigated using
an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists
user access to all virtualhosts.
If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the
vulnerability can also be mitigated by turning off these protocols at
the Port level.
Vulmon