Improper Certificate Validation in Apache Qpid Proton

#VU21142 Improper Certificate Validation in Apache Qpid Proton

Published: 2019-09-17

Vulnerability identifier: #VU21142

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0223

CWE-ID: CWE-295

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Apache Qpid Proton
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to Apache Qpid Proton (C library and its language bindings) allows anonymous TLS connections to with the peer, even when configured to verify the peer certificate. A remote attacker with ability to intercept and decrypt TLS traffic and perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Qpid Proton: 0.9 - 0.27.1

External links
http://www.openwall.com/lists/oss-security/2019/04/23/4
http://www.securityfocus.com/bid/108044
http://access.redhat.com/errata/RHSA-2019:0886
http://access.redhat.com/errata/RHSA-2019:1398
http://access.redhat.com/errata/RHSA-2019:1399
http://access.redhat.com/errata/RHSA-2019:1400
http://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
http://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
http://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
http://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
http://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
http://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for qpid-proton

Red Hat update for qpid-proton