A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows an unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. The following Authentication Providers support PLAIN SAML and are affected: - Plain - PlainPasswordFile - SimpleLDAP - Base64MD5PasswordFile - MD5 - SCRAM-SHA-256 - SCRAM-SHA-1 The following Authentication Providers support XOAUTH2 SAML and are affected: - OAuth2 The current implementation of SASL mechanisms PLAIN and XOAUTH2 require from client to provide an initial response. PLAIN and XOAUTH2 sasl mechanism implementations should send challenge (empty bytes) if initial response is not provided. Upstream Issue: https://issues.apache.org/jira/browse/QPID-8046 Upstream Patches: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=de509dd https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=30ca170 https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=4b9fb37 External References: https://tools.ietf.org/html/rfc4616
Created qpid-java tracking bugs for this issue: Affects: fedora-all [bug 1543718]
Satellite 6 uses qpid-cpp, not qpid-java, so removing from affected.
The affected Java classes are not present in MRG-2, or MRG-M-3. They were added in version 7 of qpid-broker-j which is the upstream project.
JBoss A-MQ, and Fuse only contain the qpid client libraries, not the broker implementation.