TLS Vulnerability in Apache Qpid Proton-J Transport
CVE-2018-17187

7.4HIGH

Key Information:

Vendor
Apache
Status
Apache Qpid Proton-j
Vendor
CVE Published:
13 November 2018

Summary

The Apache Qpid Proton-J transport has a vulnerability that stems from its optional TLS wrapper layer. In versions 0.3 to 0.29.0, the default configuration does not enforce peer certificate verification, which could expose users to Man In The Middle (MITM) attacks. Although users can configure the TLS transport to verify certificates, the hostname verification feature was not implemented in the affected versions. To mitigate this vulnerability, it is essential for users to upgrade to version 0.30.0 or later and ensure that the VerifyMode#VERIFY_PEER_NAME setting is enabled to reinforce hostname verification as the default.

Affected Version(s)

Apache Qpid Proton-J Apache Qpid Proton-J 0.3 to 0.29.0

References

https://issues.apache.org/jira/browse/PROTON-1962
x_refsource_MISC
http://www.securityfocus.com/bid/105935
vdb-entryx_refsource_BID
https://mail-archives.apache.org/mod_mbox/qpid-users/2018...
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.