Alex Rudyy

**Name of the Vulnerable Software and Affected Versions** Apache Qpid Broker for Java versions 6.0.x through 6.0.5 Apache Qpid Broker for Java versions 6.1.x through 6.1.0 **Description** The Apache Qpid Broker for Java can be configured to use different AuthenticationProviders to handle user authentication, including SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist, thus allowing a remote attacker to determine the existence of user accounts. This issue does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. **Recommendations** For Apache Qpid Broker for Java versions 6.0.x through 6.0.5, update to version 6.0.6 or later. For Apache Qpid Broker for Java versions 6.1.x through 6.1.0, update to version 6.1.1 or later. As a temporary workaround, consider disabling the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Qpid Java versions prior to 6.0.3 **Description** The issue concerns the AMQP 0-8, 0-9, 0-91, and 0-10 connection handling, which might allow remote attackers to bypass authentication. This could enable attackers to perform actions via vectors related to connection state logging. **Recommendations** For versions prior to 6.0.3, update to version 6.0.3 or later to resolve the issue.