CVE-2016-8741

Name of the Vulnerable Software and Affected Versions Apache Qpid Broker for Java versions 6.0.x through 6.0.5 Apache Qpid Broker for Java versions 6.1.x through 6.1.0

Description The Apache Qpid Broker for Java can be configured to use different AuthenticationProviders to handle user authentication, including SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist, thus allowing a remote attacker to determine the existence of user accounts. This issue does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.

Recommendations For Apache Qpid Broker for Java versions 6.0.x through 6.0.5, update to version 6.0.6 or later. For Apache Qpid Broker for Java versions 6.1.x through 6.1.0, update to version 6.1.1 or later. As a temporary workaround, consider disabling the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types until a patch is available.