Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Qpid | Apache | * | 0.16 (including) |
| Qpid | Apache | 0.5 (including) | 0.5 (including) |
| Qpid | Apache | 0.6 (including) | 0.6 (including) |
| Qpid | Apache | 0.14 (including) | 0.14 (including) |
| MRG for RHEL-5 v. 2 | RedHat | mrg-release-0:2.2.0-1.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | python-qpid-0:0.14-11.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | qpid-cpp-mrg-0:0.14-22.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | qpid-java-0:0.18-2.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | qpid-jca-0:0.18-2.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | qpid-qmf-0:0.14-14.el5 | * |
| MRG for RHEL-5 v. 2 | RedHat | qpid-tools-0:0.14-6.el5 | * |
| Red Hat Enterprise MRG 2 | RedHat | mrg-release-0:2.2.0-1.el6 | * |
| Red Hat Enterprise MRG 2 | RedHat | qpid-cpp-0:0.14-22.el6_3 | * |
| Red Hat Enterprise MRG 2 | RedHat | qpid-java-0:0.18-2.el6 | * |
| Red Hat Enterprise MRG 2 | RedHat | qpid-jca-0:0.18-2.el6 | * |
| Red Hat Enterprise MRG 2 | RedHat | qpid-qmf-0:0.14-14.el6_3 | * |
| Red Hat Enterprise MRG 2 | RedHat | xerces-c-0:3.0.1-20.el6 | * |
| Red Hat Enterprise MRG 2 | RedHat | xqilla-0:2.2.3-8.el6 | * |
| Qpid-cpp | Ubuntu | precise | * |
| Qpid-cpp | Ubuntu | quantal | * |
| Qpid-cpp | Ubuntu | upstream | * |