Main Vulnerability Database Vulnerabilities #VU160

Security restrictions bypass in Apache Qpid Proton-J - CVE-2016-4467

Published: July 18, 2016 / Updated: March 21, 2018

Vulnerability identifier: #VU160

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-4467

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Qpid Proton-J

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass certificate validation on the target system.

The vulnerability exists due to authentication error in Apache Qpid Proton Library. The Proton C client and C-based client bindings on Windows-based systems improperly verify that the server host name matches the domain name in the certificate's Common Name (CN) or subjectAltName fields.

Applications that use the Proton C library for SSL/TLS authentication on Windows-based systems with the default SChannel-based security layer are affected.

How to mitigate CVE-2016-4467

The vendor has issued a fix (Qpid Proton 0.13.1).

Sources

http://qpid.apache.org/releases/qpid-proton-0.13.1/release-notes.html

Security restrictions bypass in Apache Qpid Proton-J - CVE-2016-4467

Detailed vulnerability description

How to mitigate CVE-2016-4467

Sources

Please verify you're human