Multiple vulnerabilities in Apache Pulsar
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-33683 CVE-2022-33682 CVE-2022-33681 |
| CWE-ID | CWE-295 CWE-297 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache Pulsar Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Certificate Validation
EUVDB-ID: #VU67595
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-33683
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. A remote attacker can perform MitM attack.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.0.0 - 2.10.0
External linkshttp://seclists.org/oss-sec/2022/q3/228
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper validation of certificate with host mismatch
EUVDB-ID: #VU67594
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-33682
CWE-ID:
CWE-297 - Improper Validation of Certificate with Host Mismatch
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. A remote attacker can perform MitM attack.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.0.0 - 2.10.0
External linkshttp://seclists.org/oss-sec/2022/q3/227
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper validation of certificate with host mismatch
EUVDB-ID: #VU67593
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-33681
CWE-ID:
CWE-297 - Improper Validation of Certificate with Host Mismatch
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy. A remote attacker can perform MitM attack.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.0.0 - 2.10.0
External linkshttp://seclists.org/oss-sec/2022/q3/226
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
