关键漏洞信息 CVE ID: CVE-2016-4432 漏洞类型: Authentication Bypass 严重性: Important 影响版本 受影响版本: Qpid Java Broker versions 6.0.2 and earlier 描述 漏洞描述: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. A remote attacker can exploit this vulnerability to perform actions, without the need to specify valid credentials. For instance, unauthorised messages could be injected or messages stolen. 不受影响的情况: - The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts controlled. - The vulnerability does not apply to the Broker's AMQP 1.0 support. - The vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections. 解决方案 解决方法: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended). 缓解措施 缓解方法: - If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts. - If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level. 参考链接 参考: https://issues.apache.org/jira/browse/QPID-7257