Skip to navigation

Security Advisory Moderate: Red Hat Enterprise MRG Messaging 2.2 update

Advisory: RHSA-2012:1277-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-09-19
Last updated on: 2012-09-19
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2012-2145
CVE-2012-3467

Details

Updated Messaging component packages that fix two security issues, multiple
bugs, and add various enhancements are now available for Red Hat Enterprise
MRG 2.2 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

MRG Messaging is a high-speed reliable messaging distribution for Linux
based on AMQP (Advanced Message Queuing Protocol), an open protocol
standard for enterprise messaging that is designed to make mission critical
messaging widely available as a standard service, and to make enterprise
messaging interoperable across platforms, programming languages, and
vendors. MRG Messaging includes an AMQP 0-10 messaging broker; AMQP 0-10
client libraries for C++, Java JMS, and Python; as well as persistence
libraries and management tools.

It was discovered that the Apache Qpid daemon (qpidd) did not allow the
number of connections from clients to be restricted. A malicious client
could use this flaw to open an excessive amount of connections, preventing
other legitimate clients from establishing a connection to qpidd.
(CVE-2012-2145)

To address CVE-2012-2145, new qpidd configuration options were introduced:
max-negotiate-time defines the time during which initial protocol
negotiation must succeed, connection-limit-per-user and
connection-limit-per-ip can be used to limit the number of connections per
user and client host IP. Refer to the qpidd manual page for additional
details.

It was discovered that qpidd did not require authentication for "catch-up"
shadow connections created when a new broker joins a cluster. A malicious
client could use this flaw to bypass client authentication. (CVE-2012-3467)

This update also fixes multiple bugs and adds enhancements. Documentation
for these changes will be available shortly from the Technical Notes
document linked to in the References section.

All users of the Messaging capabilities of Red Hat Enterprise MRG 2.2 are
advised to upgrade to these updated packages, which resolve the issues and
add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes.
After installing the updated packages, stop the cluster by either running
"service qpidd stop" on all nodes, or "qpid-cluster --all-stop" on any one
of the cluster nodes. Once stopped, restart the cluster with "service qpidd
start" on all nodes for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)

SRPMS:
mrg-release-2.2.0-1.el5.src.rpm
File outdated by:  RHSA-2014:0261
    MD5: 25dc60f4bdfad0485ab3e6aa2be3c628
SHA-256: f17b7a88ab03f4579000df03d145cc3f783e3bd7e9be506101dd342953a3a9f0
python-qpid-0.14-11.el5.src.rpm
File outdated by:  RHBA-2014:0129
    MD5: bb18cb8af863bddb588fb975358a70bc
SHA-256: 23e2e8b88ea90445f2b4964a76dfb7297a18a65fc28f3851136d4ad4c6be68d9
qpid-cpp-mrg-0.14-22.el5.src.rpm
File outdated by:  RHBA-2014:0129
    MD5: 84469c83e15964d7cb3163dc92f5778c
SHA-256: 66d05c6b2b062ee6526fdf3e8c3e9ce1de81800a0c3f918d51df18be95a2f3cc
qpid-java-0.18-2.el5.src.rpm
File outdated by:  RHBA-2013:1023
    MD5: adf2dc1fe9af581c88d05f99845506ff
SHA-256: dbb330a30540ad888f6af1e7422c0dd24a14e7c5f18f3d777557fadfc621207c
qpid-jca-0.18-2.el5.src.rpm
File outdated by:  RHSA-2013:0561
    MD5: 4fb416f75c45f7ddf6282281855eadd8
SHA-256: 248caff0cd5150ef3e6c17f770186085898a6a2fdaacbbe3602c1c7ccd869774
qpid-qmf-0.14-14.el5.src.rpm
File outdated by:  RHBA-2014:0129
    MD5: 699e09a020f9e6ebc76212f1a446f7ba
SHA-256: 5085e806510aab53052331f545931b113fe966fb8beac1f4d3cb6ad7889c95d6
qpid-tools-0.14-6.el5.src.rpm
File outdated by:  RHBA-2013:1023
    MD5: 489dbee8c8e2a9a4110aeabef5731eef
SHA-256: 9fbb4ca786b84b7a7bd8367f1259600fdf22f3f7af54707859bc876bf7f17c74
 
IA-32:
mrg-release-2.2.0-1.el5.noarch.rpm
File outdated by:  RHSA-2014:0261
    MD5: 8776d692f87f7f1cd9d9ed4970b9f601
SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06
python-qpid-0.14-11.el5.noarch.rpm
File outdated by:  RHBA-2014:0129
    MD5: 28cb18977f8ca2afffead28bd1bac497
SHA-256: cbd10cb081204df63ecc0454a44aee568cad004728873f9bbca6bf8dc80f5543
python-qpid-qmf-0.14-14.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 5006a943c61e690204043406275be929
SHA-256: 88cb154edfcca6c097b640b815280f2b56aac8b459d937805ca89c8f0cfd4d8a
qpid-cpp-client-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: a4debb97ad0469d18ffaf6bdb728f9ec
SHA-256: a7ee4639aba07ea9ebe0826a0946007a1fc5b817d7a281f51a1515b892e0b04f
qpid-cpp-client-devel-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 075c82400ea668ecda89e6997015ecda
SHA-256: 1aec8333f5969f01bfe356ddecbf91d3702d58a888f680ba7a774733dd8bed1f
qpid-cpp-client-devel-docs-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 45f0be2fe921af219a3d45fc7f4e55ef
SHA-256: a26f5c4515630720d3646cd0ab886316f8bd29fb50880a88916b41d2b1056b82
qpid-cpp-client-rdma-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 71e5bcf7c28b3f950d672b476a681467
SHA-256: ded9a1d2cb2ea6c4712897bf93da132f753588322a3f9e9ca76d4ff46da3bfe9
qpid-cpp-client-ssl-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: d35cefab76c0bb7536ed9966835f0666
SHA-256: 6a3c22b4a92de3f9883ecee1e7e71cc46097e0733ca0b194ee818541d0ea41cc
qpid-cpp-server-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: e3a80842dddc5879824035b952983b0d
SHA-256: d03d2764b918942a777b3c9f4141d8a889ff1f23eff792885b6e06ddc25eb8fa
qpid-cpp-server-cluster-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 6c5b3c3e5301a704df5850400085f0d5
SHA-256: 332d7265fcfdb02179cf07ee8fecb6a4bc6f5640d47eff65405660c3e0dce596
qpid-cpp-server-devel-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: a81940c02968cc30598673e080ed1211
SHA-256: 97536d273ea7f65f38f55aeecb4a829021dad08f0dc21707c783b0a33ef0a3e6
qpid-cpp-server-rdma-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 7b3aa1407d2122c87ec181b870334b92
SHA-256: 10c1a36abe019ae32c5f297a28dd2aa4c1c377eed991cd2d25d1a351157ee390
qpid-cpp-server-ssl-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 5fa9bd8784e7a9aa4928942e999d848d
SHA-256: 5042440d0065fa530fd053eb2c6ce521eefb01243014393a64fa370c3d2fcf96
qpid-cpp-server-store-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: c9b5b966ac755f1f48d16780d53adcf3
SHA-256: 3e1395d4754d9570b99ab54d01573b7747e2c414dc81b4c8b9e96bc820b9ab3f
qpid-cpp-server-xml-0.14-22.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: cd0a83ec29ec41f5a01850b9e29fa75e
SHA-256: d8243baedb4fafa9d62b9262d3a81d1259b84fc31e39cc004735d6235d5a9b0e
qpid-java-client-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 681e92f7c694b2d7d129fffa3a0d73d1
SHA-256: 4e79c1c09ceff1995d5ed80a398532c7fd94a4ebce96822c5aac27d5a8bf718b
qpid-java-common-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 0a01a622efbe4f0a8f9efda9f3191de5
SHA-256: c71ae8bd8772975211327250c9e07d22b0074f69c71b9d491b0e8fef32e61663
qpid-java-example-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: bd81ef27d9614a4483eb93cdffd4a472
SHA-256: ca544803b8e7d98c2dc9851c03f904665a0f1f505406484de2463ca1708bd506
qpid-jca-0.18-2.el5.noarch.rpm
File outdated by:  RHSA-2013:0561
    MD5: f995a1a5cd57d2878f453cb73e05675e
SHA-256: e2d2540997f212615fa48f59bc90f1fd57b915e1e2381655a58cc6459290f49f
qpid-jca-xarecovery-0.18-2.el5.noarch.rpm
File outdated by:  RHSA-2013:0561
    MD5: f14d45eefb20595a53d95981700eb962
SHA-256: 77420418276c41671038b9ea2028ceec4728cf01e7f24e9851513e46860160be
qpid-qmf-0.14-14.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 74bbbb956dae121c39725031552579b2
SHA-256: 22d55d79afd87c20eccf1313c680822eabd5d13c9c9ff6b952a16fbc22c2c6de
qpid-qmf-devel-0.14-14.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 0911a1e9341b86c58606644b28da34bc
SHA-256: 77ec90795833f29472c50f1105c49aec9f55f1a056c1c95b234c59b555ee7da4
qpid-tools-0.14-6.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 22653cdd385680bd3de9e026709623be
SHA-256: 7e419f809a9f30ca835cf4f18d82a4ca4af8da8b0d7ed2d1ee94bcefc89d7fb0
ruby-qpid-qmf-0.14-14.el5.i386.rpm
File outdated by:  RHBA-2014:0129
    MD5: 414a6e48ddad30ad0423f29aea083945
SHA-256: 6cb8769c422a206b5ae6514b650cfc90a0bb59f2521cab5f8b450acf27aff8a6
 
x86_64:
mrg-release-2.2.0-1.el5.noarch.rpm
File outdated by:  RHSA-2014:0261
    MD5: 8776d692f87f7f1cd9d9ed4970b9f601
SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06
python-qpid-0.14-11.el5.noarch.rpm
File outdated by:  RHBA-2014:0129
    MD5: 28cb18977f8ca2afffead28bd1bac497
SHA-256: cbd10cb081204df63ecc0454a44aee568cad004728873f9bbca6bf8dc80f5543
python-qpid-qmf-0.14-14.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: d9142c9d8ce10a8b0cf56700717d81ce
SHA-256: 4ac304da59d48ccbd7b1fb6ad4bc97ffa36f1fadcc733780c3989a6689c24c87
qpid-cpp-client-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 746eebeffa001dc9b918f1ccd83484c1
SHA-256: b271403221cb23650f8920100afe7aee3e78ae28bca5e2f78e6d7db8fba0bd51
qpid-cpp-client-devel-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 326ffe87895aa4fe55ec48be846e07a5
SHA-256: 3e2bc4bfddd95c7bef2af20445ab0c141d4260a0212a7a90c9debdbf25db4c73
qpid-cpp-client-devel-docs-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 525f3f6bae9672536dfa695ae8ab895d
SHA-256: 052083e2ff43563c9e01f102f558e1e1f730b10549a34b247b5db29b581de62f
qpid-cpp-client-rdma-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 3295d981a606a1c1cd1ab72a535fd173
SHA-256: f880e8ae4f243252a6c6fd3006e415aed542c57efc30e89ac2b653e8c990eb53
qpid-cpp-client-ssl-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: e6d4495a2b0a35a27aedd8e86ae2f58d
SHA-256: 1e028190988f2f471b94827fdad28e68b466af066d8ea72f245caffe55edb516
qpid-cpp-server-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: f7a41ada1614f29a4fba11a6a8e723b4
SHA-256: 963d318cd7c2a8f8148ce4d39c8cc615a3b950a7510f963f399fcd33974a7eb5
qpid-cpp-server-cluster-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: da2f81bfdef4ebc5b2f52980018ea4c4
SHA-256: 8b7a14165995af75809cd7d1313f1daa34a4edee41dbc8d17221027f0835b40e
qpid-cpp-server-devel-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: a6a655e924e70f5045e1f6a4fc26a87e
SHA-256: a1071d33c2b88592d82f5dd68209faf158c7347217af3912583de8a08f7ac3f5
qpid-cpp-server-rdma-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 31f5396639afa906775a61924cdbebf1
SHA-256: d074d2274cffa8d8d7898901791dfa538df6e4489a184c4bd89329c5162a01ea
qpid-cpp-server-ssl-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 5bead2d09e5f064d0337146e534f67f1
SHA-256: a616e46d1c79df7081873a248dc4d1f2829d878017f61839c2c167abfbe3e6e4
qpid-cpp-server-store-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 09dcb924134d1c8f88f0f809a3122b22
SHA-256: 8b6a5dde9d7ea9972ab3b2d1cf40c2a99b49cf1f0da9946cf217f6e0b3ce3566
qpid-cpp-server-xml-0.14-22.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: e02ce79e28b90b77f7888284ea73d7ba
SHA-256: 698213f02001344864a050ae9a7dd3c257c6a630403c0aad9d2cadd65ae0fda5
qpid-java-client-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 681e92f7c694b2d7d129fffa3a0d73d1
SHA-256: 4e79c1c09ceff1995d5ed80a398532c7fd94a4ebce96822c5aac27d5a8bf718b
qpid-java-common-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 0a01a622efbe4f0a8f9efda9f3191de5
SHA-256: c71ae8bd8772975211327250c9e07d22b0074f69c71b9d491b0e8fef32e61663
qpid-java-example-0.18-2.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: bd81ef27d9614a4483eb93cdffd4a472
SHA-256: ca544803b8e7d98c2dc9851c03f904665a0f1f505406484de2463ca1708bd506
qpid-jca-0.18-2.el5.noarch.rpm
File outdated by:  RHSA-2013:0561
    MD5: f995a1a5cd57d2878f453cb73e05675e
SHA-256: e2d2540997f212615fa48f59bc90f1fd57b915e1e2381655a58cc6459290f49f
qpid-jca-xarecovery-0.18-2.el5.noarch.rpm
File outdated by:  RHSA-2013:0561
    MD5: f14d45eefb20595a53d95981700eb962
SHA-256: 77420418276c41671038b9ea2028ceec4728cf01e7f24e9851513e46860160be
qpid-qmf-0.14-14.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 283f90e03f4c3f12d0e3fe855e421524
SHA-256: cfaddd56f2ceedd5dfb3cc208cdb5c1a3a707c9808ba3375cabef3c79ddefa07
qpid-qmf-devel-0.14-14.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 9e86c1570e6b1ff224dc1243e39cbd20
SHA-256: ee5323e195edc35aeb9b70c938201f2901f111dc06b9dc0bf4eb4471b8cc7bab
qpid-tools-0.14-6.el5.noarch.rpm
File outdated by:  RHBA-2013:1023
    MD5: 22653cdd385680bd3de9e026709623be
SHA-256: 7e419f809a9f30ca835cf4f18d82a4ca4af8da8b0d7ed2d1ee94bcefc89d7fb0
ruby-qpid-qmf-0.14-14.el5.x86_64.rpm
File outdated by:  RHBA-2014:0129
    MD5: 2369376a2480ceab64a2226882071c97
SHA-256: 5233524504d40259058a20b4648d8622efb0c47edfcbfa9ea02541ab7b100af3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

689408 - ACL denials while replicating exclusive queues to a newly joined node
693444 - Inconsistency in clients on reliability of receiver link from exchange
809357 - "qpid-perftest.exe" and "qpid-latency-test.exe" fail with option "--tcp-nodelay" on Windows
817175 - CVE-2012-2145 qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS
836276 - CVE-2012-3467 qpid-cpp-server-cluster: unauthorized broker access caused by the use of NullAuthenticator catch-up shadow connections
841488 - qpid-stat does not support multi-byte characters (UTF-8)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/