From the Red Hat advisory:
It was found that the Apache Qpid daemon (qpidd) treated AMQP connections
with the federation_tag attribute set as a broker-to-broker connection,
rather than a client-to-server connection. This resulted in the source user
ID of messages not being checked. A client that can establish an AMQP
connection with the broker could use this flaw to bypass intended
authentication. For Condor users, if condor-aviary is installed, this flaw
could be used to submit jobs that would run as any user (except root, as
Condor does not run jobs as root). (CVE-2012-4446)
It was found that the AMQP type decoder in qpidd allowed arbitrary data
types in certain messages. A remote attacker could use this flaw to send a
message containing an excessively large amount of data, causing qpidd to
allocate a large amount of memory. qpidd would then be killed by the Out of
Memory killer (denial of service). (CVE-2012-4458)
An integer overflow flaw, leading to an out-of-bounds read, was found in
the Qpid qpid::framing::Buffer::checkAvailable() function. An
unauthenticated, remote attacker could send a specially-crafted message to
Qpid, causing it to crash. (CVE-2012-4459)
| 