Bug 817175 (CVE-2012-2145) - CVE-2012-2145 qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS
Summary: CVE-2012-2145 qpid-cpp: not closing incomplete connections exhausts file desc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2145
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering609685 820298
Blocks: Embargoed817177
TreeView+ depends on / blocked
 
Reported: 2012-04-27 22:18 UTC by Vincent Danen
Modified: 2021-02-23 14:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-19 19:51:32 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 32663 0 None None None 2012-11-12 10:54:05 UTC
Red Hat Product Errata RHSA-2012:1269 0 normal SHIPPED_LIVE Moderate: qpid security, bug fix, and enhancement update 2012-09-19 21:29:49 UTC
Red Hat Product Errata RHSA-2012:1277 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Messaging 2.2 update 2012-09-19 21:18:49 UTC

Description Vincent Danen 2012-04-27 22:18:21 UTC 
A flaw was found in the way that qpidd handled incoming connections.  If a client application were to send a large number of connections to qpidd, without terminating the connections with an incomplete handshake, qpidd would keep a file descriptor open for each connection.  This could lead to excessive resource consumption by qpidd and could also block other legitimate connection requests.

This flaw has also been reported upstream:

https://issues.apache.org/jira/browse/QPID-2616 (RFE for disconnecting clients on incomplete handshakes)

https://issues.apache.org/jira/browse/QPID-4021 (the actual flaw)
Comment 2 Vincent Danen 2012-05-09 14:39:49 UTC 
To work-around this issue, you can use the iptables connlimit feature to the qpid broker port so that any IP/Host gets a limited number of connections:

/sbin/iptables -A INPUT -p tcp --syn --dport $brokerPort -m connlimit
--connlimit-above N -j REJECT --reject-with tcp-reset
Comment 3 Vincent Danen 2012-05-09 14:41:18 UTC 
Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 820298]
Comment 5 Vincent Danen 2012-05-25 19:57:16 UTC 
This is corrected in upstream svn:

http://svn.apache.org/viewvc?view=revision&revision=1341263
Comment 6 Vincent Danen 2012-05-28 18:15:58 UTC 
Sorry, it was _partially_ corrected upstream.  See QPID-4021 (https://issues.apache.org/jira/browse/QPID-4021) where it notes that the default timeout still leaves a gap for where a misbehaving client can tie up the broker.  This has not yet been corrected upstream.

As well, the commit noted in #c5 is the second third of the fix, the first third is:

http://svn.apache.org/viewvc?view=revision&revision=1341262

We are still waiting for the fix to fully resolve the flaw (QPID-4021).
Comment 7 Tomas Hoger 2012-08-16 15:44:24 UTC 
Additional related commits:

http://svn.apache.org/viewvc?view=revision&revision=1331549
http://svn.apache.org/viewvc?view=revision&revision=1332788

which add per-user and per-IP connection limits (acl-max-connect-per-user and acl-max-connect-per-ip).
Comment 9 errata-xmlrpc 2012-09-19 17:21:00 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2012:1277 https://rhn.redhat.com/errata/RHSA-2012-1277.html
Comment 10 errata-xmlrpc 2012-09-19 17:30:44 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1269 https://rhn.redhat.com/errata/RHSA-2012-1269.html
Comment 11 Vincent Danen 2012-09-19 19:51:32 UTC 
Statement:

(none)
Note You need to log in before you can comment on or make changes to this bug.