Red Hat Enterprise MRG Messaging Qpid Bug Lets Certain Remote Users Bypass Authentication
Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)
A vulnerability was reported in Red Hat Enterprise MRG Messaging. A remote user can access cluster messages and view the internal configuration.
Qpid may accept arbitrary passwords and SASL mechanims. A remote user on the local private interconnect network with knowledge of a valid cluster name can gain access to the target cluster. The remote user can receive replicated messages to the cluster, send arbitrary cluster messages, mark any present message as consumed, run arbitrary jobs on the cluster, and view, modify, or create arbitrary user jobs. The remote user can view the internal Qpid/MRG configuration.
A remote user can access cluster messages and view the internal configuration.