Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-4631

C++ Broker interbroker links should be protected by ACL

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.20
    • Fix Version/s: 0.23
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      This issue addresses CVE-2012-4446

      Federated interbroker links may be opened by client programs and not just by brokers. By default the creation of these links is not protected any formal authorization.

      Users concerned about this issue may immediately lock their systems down by creating ACL rules that allow links to be created only by authorized users. For instance the following ACL rules on each broker would provide the lockdown necessary:

      group proxies <id1> <id2> ...
      acl allow proxies create link
      acl deny-log all create link

      A better solution is for the ACL module to deny the creation of links unless ACL rules are specified to specifically allow them.
      In pseudo code the solution is in two parts. Part one observes CREATE LINK rules in the acl file. Part two authorizes link creation only if ACL is loaded, CREATE LINK ACL rules are specified, and the specific user is authorized to create the link in question:

      function readAclFile()
      ...
      if (CREATE LINK rules are specified)
      set acl->createLinkFlag
      endif
      ...
      end function

      function brokerCreateLink()
      if (aclLoaded)
      if (acl->createLinkFlag)
      if (acl->authorise(user, create, link, properties))
      <create link allowed>
      else
      <create link denied - not authorized>
      endif
      else
      <create link denied - acl did not specify a create link rule>
      endif
      else
      <create link denied - acl module not loaded>
      endif
      end function

      This Jira will track the implementation of this restriction.

        Attachments

          Activity

            People

            • Assignee:
              chug Chuck Rolke
              Reporter:
              chug Chuck Rolke
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: