CVE-2016-4432 — CRITICAL (9.1)

Q: How severe is CVE-2016-4432?

CVE-2016-4432 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2016-4432?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Broker-J.

Vulnerability Description

The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Qpid Broker-J	< 6.0.3

Related Weaknesses (CWE)

CWE-287

References

http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3CCAFEMS4tXDKYxVendor Advisory
http://packetstormsecurity.com/files/137216/Apache-Qpid-Java-Broker-6.0.2-AuthenThird Party AdvisoryVDB Entry
http://www.securityfocus.com/archive/1/538508/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1035983Broken LinkThird Party AdvisoryVDB Entry
https://issues.apache.org/jira/browse/QPID-7257Issue TrackingVendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1743161PatchVendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1743393PatchVendor Advisory
http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3CCAFEMS4tXDKYxVendor Advisory
http://packetstormsecurity.com/files/137216/Apache-Qpid-Java-Broker-6.0.2-AuthenThird Party AdvisoryVDB Entry
http://www.securityfocus.com/archive/1/538508/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1035983Broken LinkThird Party AdvisoryVDB Entry
https://issues.apache.org/jira/browse/QPID-7257Issue TrackingVendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1743161PatchVendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1743393PatchVendor Advisory

FAQ

What is CVE-2016-4432?

CVE-2016-4432 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to con...

How severe is CVE-2016-4432?

CVE-2016-4432 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-4432?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Broker-J.