Описание
Apache Geode SSL endpoint verification vulnerability
When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10091
- https://github.com/apache/geode/pull/3849
- https://github.com/apache/geode/commit/e57028fd62a2f5980ea6c9a7ab89ada06c828634
- https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
- https://issues.apache.org/jira/browse/GEODE-7018
- https://lists.apache.org/thread.html/r3342077ac4798631300366be86e545d0c08753cca8fd2663867fe200%40%3Cdev.geode.apache.org%3E
Пакеты
Наименование
org.apache.geode:geode-core
maven
Затронутые версииВерсия исправления
< 1.10.0
1.10.0
Связанные уязвимости
CVSS3: 7.4
nvd
почти 6 лет назад
When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack.