CVE-2018-1298

Name of the Vulnerable Software and Affected Versions Apache Qpid Broker-J version 7.0.0

Description A Denial of Service issue was found in the authentication functionality for AMQP protocols 0-8, 0-9, 0-91, and 0-10 when the PLAIN or XOAUTH2 SASL mechanism is used. This allows an unauthenticated attacker to crash the broker instance. The issue affects connections using specific SASL mechanisms, including those supported by Authentication Providers of types Plain, PlainPasswordFile, SimpleLDAP, Base64MD5PasswordFile, MD5, SCRAM-SHA-256, SCRAM-SHA-1 for PLAIN, and OAuth2 for XOAUTH2. AMQP 1.0 and HTTP connections are not affected.

Recommendations For Apache Qpid Broker-J version 7.0.0, consider disabling the use of PLAIN and XOAUTH2 SASL mechanisms in the Authentication Providers until a patch is available. Restrict access to the affected AMQP ports configured with vulnerable Authentication Providers to minimize the risk of exploitation.