{"containers": {"cna": {"affected": [{"product": "Apache Qpid Proton-J", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Qpid Proton-J 0.3 to 0.29.0"}]}], "datePublic": "2018-11-13T00:00:00", "descriptions": [{"lang": "en", "value": "The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}], "problemTypes": [{"descriptions": [{"description": "Hostname verification support not implemented, exception thrown if configured.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-11-16T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://issues.apache.org/jira/browse/PROTON-1962"}, {"name": "105935", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105935"}, {"tags": ["x_refsource_MISC"], "url": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://qpid.apache.org/cves/CVE-2018-17187.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2018-17187", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Qpid Proton-J", "version": {"version_data": [{"version_value": "Apache Qpid Proton-J 0.3 to 0.29.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Hostname verification support not implemented, exception thrown if configured."}]}]}, "references": {"reference_data": [{"name": "https://issues.apache.org/jira/browse/PROTON-1962", "refsource": "MISC", "url": "https://issues.apache.org/jira/browse/PROTON-1962"}, {"name": "105935", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105935"}, {"name": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E", "refsource": "MISC", "url": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"}, {"name": "https://qpid.apache.org/cves/CVE-2018-17187.html", "refsource": "MISC", "url": "https://qpid.apache.org/cves/CVE-2018-17187.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:39:59.671Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.apache.org/jira/browse/PROTON-1962"}, {"name": "105935", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105935"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://qpid.apache.org/cves/CVE-2018-17187.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17187", "datePublished": "2018-11-13T15:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.671Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:qpid_proton-j:*:*:*:*:*:*:*:*", "matchCriteriaId": "62762E8D-905E-46EB-9C97-3CE19EB8443F", "versionEndIncluding": "0.29.0", "versionStartIncluding": "0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}, {"lang": "es", "value": "El transporte de Apache Qpid Proton-J incluye una capa wrapper opcional para realizar TLS, habilitado por el uso de los m\u00e9todos \"transport.ssl(...)\". A menos que hubiese un modo de verificaci\u00f3n expl\u00edcito, los modos cliente y servidor se consideraban por defecto como documentados para as\u00ed no verificar el certificado peer, con opciones para configurar esto de forma expl\u00edcita o seleccionar un modo de verificaci\u00f3n de certificado con o sin un proceso de verificaci\u00f3n de nombres de host. Este \u00faltimo modo de verificaci\u00f3n de nombres de host no se implement\u00f3 en Apache Qpid Proton-J, de la versi\u00f3n 0.3 a la 0.29.0; los intentos para emplearlo resultaron en una excepci\u00f3n. Esto solo dej\u00f3 una opci\u00f3n para verificar que se conf\u00eda en el certificado, dejando que el cliente sea vulnerable a un ataque Man-in-the-Middle (MitM). Los usos del motor del protocolo Proton-J que no emplean el wrapper opcional de transporte TLS no se han visto impactados (p. ej., su uso en Qpid JMS). Los usos de Proton-J que empleen la capa wrapper opcional de transporte TLS que deseen habilitar la verificaci\u00f3n de nombres de host deben actualizarse a la versi\u00f3n 0.30.0 o posteriores y emplear la configuraci\u00f3n VerifyMode#VERIFY_PEER_NAME, que ahora es la predeterminada para el uso del modo cliente a no ser que se configure de otra forma."}], "id": "CVE-2018-17187", "lastModified": "2024-11-21T03:54:02.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-13T15:29:00.313", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105935"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/PROTON-1962"}, {"source": "security@apache.org", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"}, {"source": "security@apache.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://qpid.apache.org/cves/CVE-2018-17187.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105935"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/PROTON-1962"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://qpid.apache.org/cves/CVE-2018-17187.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "qpid-proton-java: Hostname verification mode not implemented in transport TLS wrapper", "id": "1651837", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1651837"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."], "name": "CVE-2018-17187", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_mrg:3", "fix_state": "Will not fix", "impact": "low", "package_name": "qpid-proton-java", "product_name": "Red Hat Enterprise MRG 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "proton-j", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "proton-j", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "proton-j", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "proton-j", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2018-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-17187\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-17187\nhttps://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E\nhttps://qpid.apache.org/cves/CVE-2018-17187.html"], "statement": "This flaw is present in qpid-proton-java packages in Red Hat Enterprise MRG Messaging, however the vulnerable TLS transport functionality is not used by any components of MRG Messaging so the vulnerability is not exposed. For MRG Messaging, this vulnerability has been given an impact rating of Low, and is not planned to be fixed at this time.", "threat_severity": "Moderate"}