You are here

U-159: Red Hat Enterprise MRG Messaging Qpid Bug Lets Certain Remote Users Bypass Authentication

May 1, 2012 - 7:00am

Addthis

PROBLEM:

Red Hat Enterprise MRG Messaging Qpid Bug Lets Certain Remote Users Bypass Authentication

PLATFORM:

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

ABSTRACT:

A vulnerability was reported in Red Hat Enterprise MRG Messaging. A remote user can access cluster messages and view the internal configuration.

reference LINKS:

SecurityTracker Alert ID: 1026990
CVE-2011-3620
Red Hat advisory

IMPACT ASSESSMENT:

High

Discussion:

Qpid may accept arbitrary passwords and SASL mechanims. A remote user on the local private interconnect network with knowledge of a valid cluster name can gain access to the target cluster. The remote user can receive replicated messages to the cluster, send arbitrary cluster messages, mark any present message as consumed, run arbitrary jobs on the cluster, and view, modify, or create arbitrary user jobs. The remote user can view the internal Qpid/MRG configuration.

Impact:

A remote user can access cluster messages and view the internal configuration.

Solution:

The vendor has issued a fix.

Addthis