Cleartext transmission of sensitive information in Apache Qpid Proton - CVE-2016-2166
Published: September 17, 2019
Vulnerability identifier: #VU21145
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-2166
CWE-ID: CWE-319
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Qpid Proton
Apache Qpid Proton
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes in Apache Qpid Proton use insecure communication channel to transmit sensitive information for an amqps URI scheme when SSL support is unavailable. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
How to mitigate CVE-2016-2166
Install updates from vendor's website.
Sources
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585
- https://issues.apache.org/jira/browse/PROTON-1157
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E