Google Git
Sign in
apache / qpid-site / badac501e58fcdeccb1ab064806c8815d1749537 / . / content / cves / CVE-2018-17187.html
blob: 7ceaab404354666c4652b533020bb18c300d91bd [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented</li></ul>
<div id="-middle-content">
<h1 id="cve-2018-17187-transport-tls-wrapper-hostname-verification-mode-not-implemented">CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented</h1>
<h2 id="severity">Severity</h2>
<p>Important</p>
<h2 id="affected-components">Affected components</h2>
<p>Qpid Proton-J</p>
<h2 id="affected-versions">Affected versions</h2>
<p>0.3 to 0.29.0</p>
<h2 id="fixed-versions">Fixed versions</h2>
<p>0.30.0</p>
<h2 id="description">Description</h2>
<p>The Proton-J transport includes an optional wrapper layer to perform TLS,
enabled by use of the 'transport.ssl(...)' methods. Unless a verification
mode was explicitly configured, client and server modes previously defaulted
as documented to not verifying a peer certificate, with options to
configure this explicitly or select a certificate verification mode with or
without hostname verification being performed.</p>
<p>The latter hostname verifying mode was not previously implemented, with
attempts to use it resulting in an exception. This left only the option to
verify the certificate is trusted, leaving such a client vulnerable to
Man In The Middle (MITM) attack.</p>
<p>Uses of the Proton-J protocol engine which do not utilise the optional
transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.</p>
<h2 id="resolution">Resolution</h2>
<p>Uses of Proton-J utilising the optional transport TLS wrapper layer that
wish to enable hostname verification must be upgraded to version 0.30.0 or
later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
now the default for client mode usage unless configured otherwise.</p>
<h2 id="mitigation">Mitigation</h2>
<p>If upgrading is not currently possible then potential workarounds include
providing a custom SSLContext which enables hostname verification, or
omitting use of the 'transport.ssl(...)' methods and performing TLS through
other means such as utilising existing IO framework support or supplying a
custom transport wrapper layer.</p>
<h2 id="references">References</h2>
<p><a href="https://issues.apache.org/jira/browse/PROTON-1962">PROTON-1962</a></p>
<h2 id="credit">Credit</h2>
<p>This issue was reported by Peter Stockli of Alphabot Security.</p>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>