Multiple vulnerabilities in Apache Pulsar



Published: 2022-09-22
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-33683
CVE-2022-33682
CVE-2022-33681
CWE-ID CWE-295
CWE-297
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Apache Pulsar
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor Apache Foundation

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper Certificate Validation

EUVDB-ID: #VU67595

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33683

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. A remote attacker can perform MitM attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Pulsar: 2.0.0 - 2.0.1, 2.1.0 - 2.1.1, 2.2.0 - 2.2.1, 2.3.0 - 2.3.2, 2.4.0 - 2.4.2, 2.5.0 - 2.5.2, 2.6.0 - 2.6.4, 2.7.0 - 2.7.4, 2.8.0 - 2.8.3, 2.9.0 - 2.9.2, 2.10.0


CPE2.3 External links

http://seclists.org/oss-sec/2022/q3/228

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper validation of certificate with host mismatch

EUVDB-ID: #VU67594

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33682

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. A remote attacker can perform MitM attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Pulsar: 2.0.0 - 2.0.1, 2.1.0 - 2.1.1, 2.2.0 - 2.2.1, 2.3.0 - 2.3.2, 2.4.0 - 2.4.2, 2.5.0 - 2.5.2, 2.6.0 - 2.6.4, 2.7.0 - 2.7.4, 2.8.0 - 2.8.3, 2.9.0 - 2.9.2, 2.10.0


CPE2.3 External links

http://seclists.org/oss-sec/2022/q3/227

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper validation of certificate with host mismatch

EUVDB-ID: #VU67593

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33681

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy. A remote attacker can perform MitM attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Pulsar: 2.0.0 - 2.0.1, 2.1.0 - 2.1.1, 2.2.0 - 2.2.1, 2.3.0 - 2.3.2, 2.4.0 - 2.4.2, 2.5.0 - 2.5.2, 2.6.0 - 2.6.4, 2.7.0 - 2.7.4, 2.8.0 - 2.8.3, 2.9.0 - 2.9.2, 2.10.0


CPE2.3 External links

http://seclists.org/oss-sec/2022/q3/226

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###