Bug 817175 (CVE-2012-2145)

Summary: CVE-2012-2145 qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: iboverma, jross, kim.vdriet, messaging-bugs, rdassen, security-response-team, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120424,reported=20120127,source=upstream,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,fedora-all/qpid-cpp=affected,rhel-6/qpid-cpp=affected,mrg-2/qpid-cpp=affected,mrg-1/qpid-cpp=wontfix,openshift-1/qpid-cpp=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-19 15:51:32 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 609685, 820298    
Bug Blocks: 817177    

Description Vincent Danen 2012-04-27 18:18:21 EDT
A flaw was found in the way that qpidd handled incoming connections.  If a client application were to send a large number of connections to qpidd, without terminating the connections with an incomplete handshake, qpidd would keep a file descriptor open for each connection.  This could lead to excessive resource consumption by qpidd and could also block other legitimate connection requests.

This flaw has also been reported upstream:

https://issues.apache.org/jira/browse/QPID-2616 (RFE for disconnecting clients on incomplete handshakes)

https://issues.apache.org/jira/browse/QPID-4021 (the actual flaw)
Comment 2 Vincent Danen 2012-05-09 10:39:49 EDT
To work-around this issue, you can use the iptables connlimit feature to the qpid broker port so that any IP/Host gets a limited number of connections:

/sbin/iptables -A INPUT -p tcp --syn --dport $brokerPort -m connlimit
--connlimit-above N -j REJECT --reject-with tcp-reset
Comment 3 Vincent Danen 2012-05-09 10:41:18 EDT
Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 820298]
Comment 5 Vincent Danen 2012-05-25 15:57:16 EDT
This is corrected in upstream svn:

Comment 6 Vincent Danen 2012-05-28 14:15:58 EDT
Sorry, it was _partially_ corrected upstream.  See QPID-4021 (https://issues.apache.org/jira/browse/QPID-4021) where it notes that the default timeout still leaves a gap for where a misbehaving client can tie up the broker.  This has not yet been corrected upstream.

As well, the commit noted in #c5 is the second third of the fix, the first third is:


We are still waiting for the fix to fully resolve the flaw (QPID-4021).
Comment 7 Tomas Hoger 2012-08-16 11:44:24 EDT
Additional related commits:


which add per-user and per-IP connection limits (acl-max-connect-per-user and acl-max-connect-per-ip).
Comment 9 errata-xmlrpc 2012-09-19 13:21:00 EDT
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2012:1277 https://rhn.redhat.com/errata/RHSA-2012-1277.html
Comment 10 errata-xmlrpc 2012-09-19 13:30:44 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1269 https://rhn.redhat.com/errata/RHSA-2012-1269.html
Comment 11 Vincent Danen 2012-09-19 15:51:32 EDT