CVE-2019-0223

Опубликовано: 23 апр. 2019

Источник: nvd

CVSS3: 7.4

CVSS2: 5.8

EPSS Низкий

Описание

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Ссылки

http://www.openwall.com/lists/oss-security/2019/04/23/4
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/108044
Broken Link
https://access.redhat.com/errata/RHSA-2019:0886
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1398
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1399
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1400
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2777
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2778
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2779
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2780
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2781
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2782
Third Party Advisory
https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5%40%3Cdev.qpid.apache.org%3E
https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b%40%3Cdev.qpid.apache.org%3E
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0%40%3Cannounce.apache.org%3E
http://www.openwall.com/lists/oss-security/2019/04/23/4
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/108044
Broken Link

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:qpid:*:*:*:*:*:*:*:*

Версия от 0.9 (включая) до 0.27.0 (включая)

Конфигурация 2

Одновременно

cpe:2.3:a:redhat:jboss_amq_clients_2:-:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:linux:7.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.3:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:5.9:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 61%

0.00407

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2019-0223

CVSS3: 7.4

ubuntu

почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

CVE-2019-0223

CVSS3: 7.4

redhat

почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

CVE-2019-0223

CVSS3: 7.4

debian

почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some cir ...

SUSE-SU-2024:1074-1

suse-cvrf

почти 2 года назад

Security update for qpid-proton

GHSA-5h6x-m52p-23ph

CVSS3: 7.4

github

больше 3 лет назад

Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton

EPSS

Процентиль: 61%

0.00407

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

NVD-CWE-noinfo