Apache QPid Denial Of Service Vulnerability (April 10, 2015)

Apache Qpid is an open source message queuing system. It is built on top of AMQP which is an open internet protocol to reliably send and receive messages.

The applications interact with each other using commands and controls messages. Part of the communication specifies sessions which is communication between two peers. While a command message can be sent on a session only, a control message can be sent with or without a session. A denial of service vulnerability exists in the implementation of Apache QPid. This occurs specifically when an unsupported control (session.gap) is sent without an establishment of a session. To handle such unsupported control scenario, QPid does throw an expection; however, in the exception handling it assumes that a session has already been established. It tries to detach a non-existing session (null session object) to invoke ‘detach’ method on it. This causes an assertion failure and the application is terminated.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

• 10855 Apache Qpid DoS 1

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.