Описание
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
A cryptographic weakness was discovered in qpid-proton's use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted.
Отчет
Red Hat OpenStack Platform 14 (and its Operational Tools) is impacted by this flaw; other supported versions are not vulnerable. Red Hat Virtualization 4 uses qpid-proton for katello-agent, which always uses client certificate authentication. Red Hat Update Infrastructure 3 is impacted by this flaw, however in its default configuration client certificate authentication is used and qpidd service, which uses qpid-proton, cannot be reach from other machines.
Меры по смягчению последствий
This attack will not work if client-certificate authentication is in place because anonymous ciphers would not then be available. Another possible mitigation is to disable anonymous ciphers on clients.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Interconnect 1 | qpid-proton | Affected | ||
| Red Hat AMQ Broker 7 | qpid-proton | Not affected | ||
| Red Hat Enterprise MRG 3 | qpid-proton | Will not fix | ||
| Red Hat Fuse 7 | proton-j | Not affected | ||
| Red Hat JBoss A-MQ 6 | proton-j | Out of support scope | ||
| Red Hat JBoss Fuse 6 | proton-j | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | proton-j | Affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | qpid-proton | Will not fix | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | qpid-proton | Will not fix | ||
| Red Hat Virtualization 4 | redhat-virtualization-host | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
While investigating bug PROTON-2014, we discovered that under some cir ...
Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton
EPSS
7.4 High
CVSS3