Apache QPid Denial Of Service Vulnerability

April 10, 2015

Apache Qpid is an open source message queuing system. It is built on top of AMQP which is an open internet protocol to reliably send and receive messages.

The applications interact with each other using commands and controls messages. Part of the communication specifies sessions which is communication between two peers. While a command message can be sent on a session only, a control message can be sent with or without a session. A denial of service vulnerability exists in the implementation of Apache QPid. This occurs specifically when an unsupported control (session.gap) is sent without an establishment of a session. To handle such unsupported control scenario, QPid does throw an expection; however, in the exception handling it assumes that a session has already been established. It tries to detach a non-existing session (null session object) to invoke 'detach' method on it. This causes an assertion failure and the application is terminated.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 10855 Apache Qpid DoS 1