Ken Giusti

**Name of the Vulnerable Software and Affected Versions** Apache Qpid Proton versions prior to 0.12.1 **Description** The issue is related to the improper use of an unencrypted connection for an amqps URI scheme when SSL support is unavailable in certain classes. This might allow attackers to obtain sensitive information or modify data. The affected classes include proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection. **Recommendations** For versions prior to 0.12.1, update to version 0.12.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of amqps URI schemes when SSL support is unavailable to minimize the risk of exploitation. Restrict access to sensitive information and data to prevent potential modification by unauthorized parties.

**Name of the Vulnerable Software and Affected Versions** Apache Qpid versions prior to 2.2 **Description** The issue concerns the Python client in Apache Qpid, which fails to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. **Recommendations** For versions prior to 2.2, update to version 2.2 or later to resolve the issue. As a temporary workaround, consider verifying the server hostname manually to ensure it matches the domain name in the certificate. Restrict access to sensitive data until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Apache Qpid versions prior to 0.6 Red Hat Enterprise MRG versions prior to 1.3 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in a NULL pointer dereference, daemon crash, and cluster outage. This occurs when attempting to modify the alternate of an exchange, specifically through the SessionAdapter::ExchangeHandlerImpl::checkAlternate function in the C++ Broker component. **Recommendations** For Apache Qpid versions prior to 0.6, update to version 0.6 or later to resolve the issue. For Red Hat Enterprise MRG versions prior to 1.3, update to version 1.3 or later to resolve the issue.