728x90
[CVE-2016-8741] Apache Qpid Broker for Java - Information Leakage
Vendor: The Apache Software Foundation
Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0
Description:
The Qpid Broker for Java can be configured to use different so
called AuthenticationProviders to handle user authentication.
Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
AuthenticationProvider types.
It was discovered that these AuthenticationProviders prematurely
terminate the SCRAM SASL negotiation if the provided user name
does not exist thus allowing remote attacker to determine the
existence of user accounts.
The Vulnerability does not apply to AuthenticationProviders other
than SCRAM-SHA-1 and SCRAM-SHA-256.
Resolution:
Users should upgrade the Qpid Broker for Java to version 6.0.6,
6.1.1, or later (recommended).
Mitigation:
If upgrading is not possible, the vulnerability can be mitigated
by using an AuthenticationProvider other than SCRAM-SHA-1 and
SCRAM-SHA-256.
References:
https://issues.apache.org/jira/browse/QPID-7599728x90
'취약점 정보2' 카테고리의 다른 글
| LG 모바일 안드로이드 1월 업데이트 내역 (0) | 2017.01.06 |
|---|---|
| QNAP NAS Devices suffer of heap overflow (0) | 2017.01.03 |
| Mozilla Foundation Security Advisory 2016-96 (0) | 2016.12.29 |
| PHPMailer 원격코드 실행 취약점 주의 권고 (0) | 2016.12.28 |
| XAMPP Control Panel Memory Corruption Denial Of Service (0) | 2016.12.27 |