Bug 1861814 (CVE-2020-14348)
Summary: | CVE-2020-14348 AMQ: Denial of Service via unrecognized field injection | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dave Baker <dbaker> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cbyrne, chazlett, crarobin, ganandan, jechoi, jmadigan, jochrist, jross, jwon, kwall, ngough, rgodfrey, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://issues.redhat.com/browse/ENTMQMAAS-2498 https://issues.redhat.com/browse/INTLY-9689 |
||
Whiteboard: | |||
Fixed In Version: | amq-online-1.5.2 enmasse-0.32.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in AMQ Online before 1.5.2, where injecting an invalid field to a user's address space configuration of the user namespace puts AMQ Online in an inconsistent state. In this inconsistent state, the AMQ Online components do not operate properly. For example, the failure of provisioning and the failure of creating addresses may occur. However, this issue does not impact already existing messaging clients or brokers.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-31 13:26:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1861608 |
Description
Dave Baker
2020-07-29 16:00:34 UTC
Acknowledgments: Name: Jeremy Choi (Red Hat Product Security) Mitigation: The user can work around the issue by repairing the resource and removing the invalid (top-level) field. |