Bug 1186308 (CVE-2015-0223)

Summary: CVE-2015-0223 qpid-cpp: anonymous access to qpidd cannot be prevented
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, anemec, aortega, apevec, bhu, bkearney, cbillett, chrisw, cpelland, dallan, dsirrine, esammons, gkotton, gmollett, iboverma, jmatthew, jose.p.oliveira.oss, jross, katello-bugs, kpalko, lhh, lpeer, markmc, matt, mcressma, messaging-bugs, mmccune, nsantos, ohadlevy, pmoravec, rbryant, rhos-maint, rrajasek, sclewis, tjay, tross, tsanders, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the Qpid daemon (qpidd) did not restrict access to anonymous users when the ANONYMOUS mechanism was disallowed.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-23 08:53:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1186310, 1186311, 1189391, 1192064, 1193170, 1471929    
Bug Blocks: 1181723    

Description Vasyl Kaigorodov 2015-01-27 11:41:37 UTC
It was reported [1] that an attacker can gain access to qpidd as an anonymous user, even if the ANONYMOUS mechanism is disallowed.

A patch is available (https://issues.apache.org/jira/browse/QPID-6325)
that addresses this vulnerability. The fix will be included in
subsequent releases, but can be applied to 0.30 if desired.

[1]: http://seclists.org/bugtraq/2015/Jan/122

Comment 1 Vasyl Kaigorodov 2015-01-27 11:43:40 UTC
Created qpid-cpp tracking bugs for this issue:

Affects: fedora-all [bug 1186310]
Affects: epel-7 [bug 1186311]

Comment 5 errata-xmlrpc 2015-03-09 13:43:32 UTC
This issue has been addressed in the following products:

  MRG for RHEL-5 v. 2

Via RHSA-2015:0662 https://rhn.redhat.com/errata/RHSA-2015-0662.html

Comment 6 errata-xmlrpc 2015-03-09 13:43:50 UTC
This issue has been addressed in the following products:

  MRG v.2 for RHEL-7

Via RHSA-2015:0660 https://rhn.redhat.com/errata/RHSA-2015-0660.html

Comment 7 errata-xmlrpc 2015-03-09 13:50:18 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2015:0661 https://rhn.redhat.com/errata/RHSA-2015-0661.html

Comment 8 errata-xmlrpc 2015-03-19 17:10:47 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.3

Via RHSA-2015:0707 https://rhn.redhat.com/errata/RHSA-2015-0707.html

Comment 9 errata-xmlrpc 2015-03-19 17:11:12 UTC
This issue has been addressed in the following products:

  MRG Messaging v.3 for RHEL-7

Via RHSA-2015:0708 https://access.redhat.com/errata/RHSA-2015:0708

Comment 10 errata-xmlrpc 2015-03-19 17:11:57 UTC
This issue has been addressed in the following products:

  MRG Messaging v.3 for RHEL-7

Via RHSA-2015:0708 https://access.redhat.com/errata/RHSA-2015:0708

Comment 11 David Sirrine 2015-03-24 19:58:41 UTC
Is there a statement of applicability to the qpid-cpp packages in the base RHEL channels outside of MRG?

Comment 12 Tomas Hoger 2015-04-22 13:16:01 UTC
The qpid-cpp packages in Red Hat Enterprise Linux 6 are deprecated, see bug 1181721 comment 11.

Comment 13 Fedora Update System 2015-05-29 21:45:57 UTC
qpid-cpp-0.30-12.el7, qpid-qmf-0.28-27.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-06-21 00:04:05 UTC
qpid-cpp-0.32-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.