Frantisek Reznicek of Red Hat reported that a change in or before qpid version 0.22 resulted in ACL policies only being loaded if the acl-file option was specified. This resulted in qpidd, by default, not checking the connection limit. A client could send a large number of requests to qpidd, resulting in the file descriptor limit being reached and qpidd refusing to handle further connections.
Acknowledgements: This issue was discovered by Frantisek Reznicek of Red Hat.
Statement: Not vulnerable. This issue did not affect the versions of qpid-cpp as shipped with Red Hat Enterprise Linux 6; Red Hat Enterprise MRG 2; and Red Hat Enterprise MRG Messaging 3.
MRG-M 3.0 GA [1] was not affected by this issue. [1] https://rhn.redhat.com/errata/RHEA-2014-1296.html
Upstream Issue: https://issues.apache.org/jira/browse/QPID-4938