Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP library is used by several clients to implement AMQP protocol communication. When clients using this library receive a crafted binary type data, an integer overflow or wraparound or memory safety issue can occur and may cause remote code execution. This vulnerability has been patched in release 2024-01-01.
When a client using the uAMQP-C library receives crafted binary data of a specific type, an integer overflow or wraparound occurs, leading to a memory safety violation. The error results from improper validation of input data when decoding AMQP messages (CWE-190, CWE-94). The consequence is the ability to execute arbitrary code in the context of the process handling the AMQP connection.
An attacker can gain full control over a vulnerable system through remote code execution (RCE), which threatens the confidentiality, integrity, and availability of data and services.
The azure-uamqp-c library should be updated to the version released on 2024-01-01 (commit 12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe). This also applies to all products and applications that indirectly use this library — dependencies should be checked and updated to versions containing the patch.
The Azure uAMQP-C library (azure-uamqp-c) and all applications and clients using this library for AMQP communication — versions prior to the release on 2024-01-01.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Azure Uamqp
APPMicrosoft< 2024-01-01
Related vulnerabilities
Double free w bibliotece uAMQP-C prowadzący do RCE w Azure
Use-after-free w Microsoft Azure UAMQP-C umożliwiający zdalny RCE
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych